Anyone aware of any information regarding best practices for client-side cookie generation for ColdFusion/Lucee CFML?
I'm working on an admin tool and created a client-side cookie with an email address or two (for email testing). Upon the next page request using ColdFusion 2016-2021, only the content up to the first @
character was available to ColdFusion. If I explicitly encode @
to %40
using encodeURIComponent()
, the AT symbol is preserved. This data corruption bug doesn't exist if using Lucee as the entire value is available without having to encode. (NOTE: This could be problematic as code written for Lucee may lose data with Adobe ColdFusion if client-side cookies aren't encoded correctly.)
Past research on parenthesis truncation issue (a(b)c
becomes a
) revealed that Adobe may not have configured Tomcat for RFC 6265 compliance by default and could be still using legacy cookie processing. Tomcat 8.0.15 (with better processing) was released in 11/2014. ColdFusion 2016, 2018 & 2021 are all using a version of Tomcat that supports it, but is it enabled? If not, would it be problematic to enable it? If not, how would it be enabled? Or is it possible that I'm ignoring a best practice when it comes to client-side cookie generation?
NOTE: I'm using the Florian cookie.js library. Here's my contribution for enabling it to generate ColdFusion-friendly cookies:
https://github.com/florian/cookie.js/issues/49
While testing using CommandBox 5.5.1, Adobe ColdFusion 2016-2021 returned all client-side cookies, but Lucee 5.3.9 (w/Java JRE 11.0.15) refused to acknowledge anything unless the cookie was created using CFCookie. I didn't see any difference in the browser's F12 developer tools (under Application | Storage | Cookies
).
Anyone have any advice?
No encoding required:
Code | Char |
---|---|
%23 | ## |
%24 | $ |
%26 | & |
%2F | / |
%5E | ^ |
%60 | ` |
%7C | \ |
Encoding required:
Code | Char |
---|---|
%2B | + |
%3A | : |
%3C | < |
%3D | = |
%3E | > |
%3F | ? |
%40 | @ |
%5B | [ |
%5D | ] |
%7B | { |
%7D | } |
Top comments (0)