tracker issue : CF-4199012

select a category, or use search below
(searches all categories and all time range)

Cookie-Processing not complaint to latest RFC

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Workaround

Reporter/Name(from Bugbase): H. SCHERG / H. SCHERG ()

Created: 07/06/2017

Components: Tags, General

Versions: 2016,11.0,10.0,2018

Failure Type: Data Corruption

Found In Build/Fixed In Build: 310739 /

Priority/Frequency: Normal / Some users will encounter

Locale/System: German / Win 2012 Server x64

Vote Count: 0

Problem Description:
ColdFusion 10 Update 23 

Using a cookies in a mixed application (CF and non CF applications, like enterprise portal or shop systems), we faced the problem, that CF does not handle some cookies correctly.

 CF seems to strip of the '=' character 

Due to latest RFC '=' should be a valid character in a cookie value text.

see: RFC 6265  Sect. 5.2
   4.  If the cookie-av string contains a %x3D ("=") character:

          The (possibly empty) attribute-name string consists of the
          characters up to, but not including, the first %x3D ("=")
          character, and the (possibly empty) attribute-value string
          consists of the characters after the first %x3D ("=")


          The attribute-name string consists of the entire cookie-av
          string, and the attribute-value string is empty.

This assumes that '=' characters in the value part (after the first '=' are valid characters).

Steps to Reproduce:

 can be reporoduced via any set cookie containing e.g. "=" at the end of the cookievalue.

1. send cookie mycookie=12345=  to CF application
2. read cookie in CF
3. cookie vlaue is  12345

Actual Result:

Expected Result:

read cookie value should be "12345="

Any Workarounds:

manual programming



Hi Scherg, Would like to clear a few queries around this issue: 1.Does this issue happen even with a simple cf application/page where we set the cookie? Or is it in a combination of cf & non-cf pages only? 2.Do you get any exceptions in coldfusion exception logs? In that case can you share the logs? Thanks!
Comment by S P.
526 | July 24, 2017 06:43:59 AM GMT
Hello, sorry for the delay. here are the answers to your questions: 1. No. If a cookie's value including "=" is set by coldfusion, it is encoded. It just happens, if such values are written by other applications. Coldfusion seems to use ListGetAt(cookie,2,"=") function to extract the value. 2. No, there are no exceptions/logs. The problem was detected while analyzing problems with "backend services".
Comment by H. S.
527 | August 24, 2017 03:33:59 PM GMT
Ideally you need to encode the cookies while setting it from javascript. And on the server side you can use the decoded cookie value.   Tomcat by default rejects such invalid characters in Cookie there by stripping it out the value. But RFC 6265 allows such strings there by when you enable RFC6265 cookie processor it would work. To make this work go to cfusion\runtime\conf\context.xml and comment the below <!--<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />–> This enables tomcat to use the RFC6265 cookie processing. To support some IE version browsers and not to break backward compatibility we have fallen back to legacy cookie processor.
Comment by Kailash B.
30725 | May 14, 2019 11:52:13 AM GMT