Skip to main content

Cookies empty after <cflocation> (and similar)

I just ran into an interesting issue.  I've actually seen this issue before, and fixed it before, but have never documented it before.

Here is the issue:

You have a page that initiates a session and maybe sets session variables.  At the end of the page, you <cflocate> somewhere else.

On that "somewhere else" page, the session variable will not be set (not even defined).  This only seems to happen in some browsers (it seems [maybe] to be slower or older computers? -- haven't been able to confirm this)

In order to really understand this, you need to know that when you set any cookies (and sessions set several -- most notably the CFID and CFTOKEN), the server sends a header to the page to set the cookie value.  That is main way your browser can know to set a cookie.  (you can also set cookies using javascript, however this is not applicable to the current discussion)

So, when you have a page that initiates a session or sets a session variable, it needs to send something to your browser in order to include that cookie header.  Make sense?  You can't get the cookie header if you get no web page from the server!

Taking that logic a step further with the above situation: If you have a page that DOES NOT OUTPUT anything to the user (i.e. a form action page is the most common I should think...), and you are setting cookies or initiating sessions, setting session variables, etc. anything that requires cookies.. if you do a cflocation tag before you send anything to your browser, those cookies can get lost, because you send them to a new page, and that page sends its content without the cookie headers.

To fix this, we go back to web 101, and simply use the good old META refresh tag.  Instead of doing a <cflocation>, we output html code with a META refresh where we want to go.  (the key here is the output of page content to the browser, which ensures your cookies are set).

So in this scenario, this code is bad:

<cfset cookie.something = "newvalue">

<cflocation url="some_other_page.cfm">

However, this code is a very suitable fix:

<cfset cookie.something = "newvalue">



        <META HTTP-EQUIV="Refresh" CONTENT="1;URL=some_other_page.cfm">



In summary, sometimes (and usually at the worst time), cookie values will not be set properly if you do not output any content to the browser, usually in combination with a <cflocation> tag.  This can be fixed by forcing output of html content to browser and using a meta refresh to redirect the user to the appropriate URL.  The same can be done with Javascript if you feel more comfortable with that.

Hope this helps somebody.  ciao

Popular posts from this blog

Installing python 3.4.x on OSX El Capitan

I love "brew" package manager, but sometimes being too progressive breaks things.  I have several python apps that I maintain that get deployed to AWS using Elastic Beanstalk.  AWS eb can deploy with python 2.7 or 3.4.  Any recent 'brew install python3" will get 3.5.1. #annoying

Making Macbook Air with 128GB SSD usable with Bootcamp

I recently got a new Macbook Air 11" (the 2012 version) and loaded it with goodies like 8GB ram and 2GHz Core i7.  What I DIDN'T upgrade was the internal SSD.  My config came with 128GB SSD and I refused to pay $300+ to upgrade it to 256GB.  Yeah I know, some call me cheap, but SSds cost $75-$150 for 240GB, so adding another 128GB for $300 seemed way too steep for me.  I figured "ok, I'm going to make 128G work!"

Here is the story of how that went...

Getting Started with OpenVAS on CentOS - an open source vulnerability scanner

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. (Taken from the OpenVAS website, which is at )

This blog entry will introduce OpenVAS version 3.1, walk through installation on CentOS and is intended as a "getting started" guide. I'll also do a guide for installing on Ubuntu later.