DEV Community

James Moberg
James Moberg

Posted on

1

Client Cookie Conversion Requirements for ColdFusion

Anyone aware of any information regarding best practices for client-side cookie generation for ColdFusion/Lucee CFML?

I'm working on an admin tool and created a client-side cookie with an email address or two (for email testing). Upon the next page request using ColdFusion 2016-2021, only the content up to the first @ character was available to ColdFusion. If I explicitly encode @ to %40 using encodeURIComponent(), the AT symbol is preserved. This data corruption bug doesn't exist if using Lucee as the entire value is available without having to encode. (NOTE: This could be problematic as code written for Lucee may lose data with Adobe ColdFusion if client-side cookies aren't encoded correctly.)

Past research on parenthesis truncation issue (a(b)c becomes a) revealed that Adobe may not have configured Tomcat for RFC 6265 compliance by default and could be still using legacy cookie processing. Tomcat 8.0.15 (with better processing) was released in 11/2014. ColdFusion 2016, 2018 & 2021 are all using a version of Tomcat that supports it, but is it enabled? If not, would it be problematic to enable it? If not, how would it be enabled? Or is it possible that I'm ignoring a best practice when it comes to client-side cookie generation?

NOTE: I'm using the Florian cookie.js library. Here's my contribution for enabling it to generate ColdFusion-friendly cookies:

https://github.com/florian/cookie.js/issues/49

While testing using CommandBox 5.5.1, Adobe ColdFusion 2016-2021 returned all client-side cookies, but Lucee 5.3.9 (w/Java JRE 11.0.15) refused to acknowledge anything unless the cookie was created using CFCookie. I didn't see any difference in the browser's F12 developer tools (under Application | Storage | Cookies).

Anyone have any advice?

No encoding required:

Code Char
%23 ##
%24 $
%26 &
%2F /
%5E ^
%60 `
%7C \

Encoding required:

Code Char
%2B +
%3A :
%3C <
%3D =
%3E >
%3F ?
%40 @
%5B [
%5D ]
%7B {
%7D }

Imagine monitoring actually built for developers

Billboard image

Join Vercel, CrowdStrike, and thousands of other teams that trust Checkly to streamline monitor creation and configuration with Monitoring as Code.

Start Monitoring

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

šŸ‘‹ Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay