tracker issue : CF-4073906

select a category, or use search below
(searches all categories and all time range)

CF Crash (500 Internal Server Error) from Non-ASCII Cookie Character

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/AsDesigned

Reporter/Name(from Bugbase): Alex Parsons / Alex Parsons (Alex Parsons)

Created: 10/14/2015

Components: Core Runtime

Versions: 11.0

Failure Type: Crash

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Critical / All users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 1

Problem Description:
In response to any request with a cookie containing a non-ASCII character, Cold Fusion 11 appears to crash and IIS returns an HTTP 500 Internal Server Error (blank white page).

Steps to Reproduce:
1) Download attached "test.txt" and rename to "test.cfml" in your Cold Fusion 11 server web root
2) Make a second copy of this file at "test.html"
3) Load either page and click the link, which via Javascript sets a cookie to "ñ" and reloads the page
4) Subsequently, the CFML page will return HTTP 500 (blank white page); the HTML page will display normally

Alternatively, run the following in Javascript console and attempt to load any CFML page:

Actual Result:
HTTP 500 Internal Server Error (blank white page).

Expected Result:
No errors.

Any Workarounds:
Clear cookies.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4073906

External Customer Info:
External Company:  
External Customer Name: Alex Parsons
External Customer Email:  
External Test Config: Windows Server 2012 R2 Standard

IIS 8.5

Cold Fusion 11

OS and applications are fully patched as of submission time.


  1. October 15, 2015 00:00:00: 1_test.txt


Full log entry from coldfusion-error.log: Sep 03, 2015 11:43:58 PM org.apache.coyote.ajp.AjpProcessor process SEVERE: Error processing request java.lang.IllegalArgumentException: Control character in cookie value or attribute. at org.apache.tomcat.util.http.CookieSupport.isHttpSeparator( at org.apache.tomcat.util.http.Cookies.getTokenEndPosition( at org.apache.tomcat.util.http.Cookies.processCookieHeader( at org.apache.tomcat.util.http.Cookies.processCookies( at org.apache.tomcat.util.http.Cookies.getCookieCount( at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId( at org.apache.catalina.connector.CoyoteAdapter.postParseRequest( at org.apache.catalina.connector.CoyoteAdapter.service( at org.apache.coyote.ajp.AjpProcessor.process( at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( at$ at java.util.concurrent.ThreadPoolExecutor.runWorker( at java.util.concurrent.ThreadPoolExecutor$ at org.apache.tomcat.util.threads.TaskThread$ at
Comment by External U.
5557 | October 22, 2015 02:00:09 PM GMT
This bug could be a big deal. JWPlayer doesn't encode caption labels using encodeURIComponent. Selecting "Español" causes it to be saved incorrectly without being encoded to "Espa%C3%B1ol". Any requests with the RFC6265 non-compliant cookie causes 500 errors with ColdFusion 10 & 11 (and unhappy visitors & upset ColdFusion developers.) More info (and sample code) at: This bug has been posted for 9 days... do any Adobe developers have any questions. New CF patches are going to be released within the next couple of weeks and it would be nice to have this bug reviewed and fixed.
Comment by External U.
5558 | October 23, 2015 11:42:05 AM GMT
Visitors like to see options in their own languages. JWPlayer just happens to save it incorrectly, but this shouldn't cause a 500 error with an enterprise server product. No workarounds other than adding an URL Rewrite regex rule based on non-ASCII cookies. Please fix ASAP as this could easily become a new test to determine if ColdFusion/Tomcat is being used.
Vote by External U.
5561 | October 23, 2015 11:44:17 AM GMT
Here's an IIS workaround to detect non-ASCII cookies and either redirect+clear or abort.
Comment by External U.
5559 | October 23, 2015 11:45:33 AM GMT
Is the Tomcat error message correct? I don't think "ñ" is an actual "control character" (a non-printing character that does not represent a written symbol).
Comment by External U.
5560 | October 23, 2015 11:48:43 AM GMT
Won't fix? As Designed? This is a strange response. If this invalid cookie is sent to any PHP website, the webpage loads normally... do it on ColdFusion website and you get a "bad request" 500 error. This occurs on CF2016 and possibly the upcoming 2018 beta (i haven't tried yet.) This issue was discussed on StackOverflow.
Comment by James M.
27581 | April 19, 2018 06:34:07 PM GMT
I downloaded latest versions of CF10, 2016 & 2018 beta using CommandBox using latest Firefox & Chrome and this cookie bug doesn't cause a "bad request" 500 error. (I also couldn't duplicate it w/Lucee.) So this bug may be restricted to Windows/IIS host environments... or the connector method used by CommandBox is immune to it. (Not sure.)
Comment by James M.
27582 | April 19, 2018 09:47:39 PM GMT