I attempted to post the following response regarding a ColdFusion bug that I reported back in March 2018, but Adobe's CFTracker web application wasn't working and refused to accept my post for an undisclosed reason.
I reported it to them and they fixed it within 2-3 days on their PHP platform.
As a workaround for CF2016 (and CF10 & 11), I'm using this modified UDF to set a CFCookie & a fallback "set-cookie" CFHeader. It's duplicates the response headers, but if CFCookie isn't used, the value isn't added to the COOKIE scope. (The 2nd set-cookie header automatically overwrites the first one set by CF.)
Source Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adobe has posted manual patches for CF2016 & CF2018 on the bug report. (If using CF2016, download the CF2018 attachment as the instructions for CF2016 are incorrect.)
If you are still using ColdFusion 10 or 11, you can use this UDF or Pete Freitag's solution for IIS or Apache.
James, for CF-4201688 did you actually get it to work? I am running CF2018 Enterprise ver. 2018.0.08.318307 on Websphere 9 and OS: RedHat Enterprise Linux 7.2. We applied hf201600-4201688 as the instructions stated; however, I noticed "Catalina.jar" file does not exists in any directory as I believe that is used on Tomcat. It doesn't appear that the samesite attribute of cfcookie works. I don't receive an error for that samesite attribute like I did before applying the fix but it doesn't appear to pass the value.
Top comments (1)
James, for CF-4201688 did you actually get it to work? I am running CF2018 Enterprise ver. 2018.0.08.318307 on Websphere 9 and OS: RedHat Enterprise Linux 7.2. We applied hf201600-4201688 as the instructions stated; however, I noticed "Catalina.jar" file does not exists in any directory as I believe that is used on Tomcat. It doesn't appear that the samesite attribute of cfcookie works. I don't receive an error for that samesite attribute like I did before applying the fix but it doesn't appear to pass the value.
Example: cfcookie name="TEST" value="abc123" samesite="None"
Cookie Result:
NAME: "AMWEBJCT!%2Fjrtlappsdev!TEST"
VALUE: "abc123"
SAMESITE: is empty
Thanks.