tracker issue : CF-4198716

select a category, or use search below
(searches all categories and all time range)

Cannot set CFCookie "Expires" default value

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/HaveNewInfo

Reporter/Name(from Bugbase): James Moberg / James Moberg ()

Created: 05/17/2017

Components: Language, Functions

Versions: 2016,11.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: 2016,0,03,300466 / CF2016HF7, CF11HF15

Priority/Frequency: Normal / Most users will encounter

Locale/System: / Unix All

Vote Count: 0

Problem Description: CFCookie's "Session Only" default value can only be configured via omission.  As an example, the CFHTTP multipartType default option is "form-data", but it can also be set to "form-data".  I think CFCookie is the only function to have a default parameter that can only be configured by not passing one.  (Which means that if I want to store the expires setting, I need to delete it before passing settings via attributeCollection.)

Steps to Reproduce:   Try to specifically denote the default "session only" by passing any parameter in an attempt to set it to the default.

Actual Result: Using "" (empty/blank) throws "Attribute validation error".  Using "0" will result failing to generate a cookie (immediate expire/now). Using any string will throw "The value session only cannot be converted to a number."

Expected Result:  Behave similarly to the RFC.  If the defined value isn't valid, fallback to "session only"... or provide a way (similar to the "now" & "never" keywords) to define "session only".

Any Workarounds:  Invalid "expires" cookie values set via CFHeader correctly fall back to "session only" in the browser.
<cfheader name="Set-Cookie" value="TimeVisited=#Now()#; expires=abc;">
CFCookie should accept anything and behave the same way. (If "expires" is not a date, number, "now" or "never", then fallback to "the default".)



This fix will be available in the upcoming ColdFusion updates as part of which the new value 'session' can specified as cfcookie expires attribute, with the behavior being same as omitting the expires attribute. As far as the other ask is concerned wrt invalid string values for 'expires' attribute falling back to default value instead of throwing an exception. Please raise an ER for the same since this would be a new behavior.   Thanks!
Comment by S P.
29678 | September 10, 2018 07:57:07 AM GMT
If this has been fixed, what version was it fixed in? If this has been fixed, what value needs to be passed in order for it to equal the "session only" default? Are you required to pass an empty string, the text "session only" or do any invalid values fall back to "the default"? (ie, if this is fixed, how do I test it to confirm.) After some testing w/ColdFusion 2016,0,11,314546, it looks like the "EXPIRES" parameter should be set to "SESSION" in order to reflect the default. Please update the official documentation so that other developers are aware of this.
Comment by James M.
31135 | August 20, 2019 10:21:14 PM GMT