I am using Railo - CFML and it seems that it is not using application.cfc/.cfm because I have deleted those from the folder and it worked just the same. With that being said.
I am trying to force cookies to be deleted when I someone logs out of my application. Some how the information is being restored after I have forced the information in the cookie to be changed.
I have physically deleted the cookie and it forces a CFID update. However, that's the only time that I have been able to get a CFID change. I have looked more into the cookie and using my web developer toolkit, the cookie is set to expire in 2045.
I have searched on here for hours looking for methods to work and I can tell you so far they work on other projects that I have worked on but for some reason I cannot get it to work on this current project. Just a heads up, I am the 15th programmer on this site.
Here is some of the code that I am working with:
<cfcookie
name="CFID"
value="Dead"
expires="NOW">
<cfcookie
name="cfid"
value="Dead"
expires="NOW">
<cfset structClear( session ) />
<cfset delete_cookie=StructDelete(cookie,"CFID")>
<cfcookie name="CFID" value="0" expires="Thu, 01-Jan-70 00:00:01 GMT">
<cfoutput>Cookie Deleted: #delete_cookie#<br /></cfoutput>
<cfset delete_cookie=StructDelete(cookie,"cfid")>
<cfcookie name="cfid" value="0"expires="Thu, 01-Jan-70 00:00:01 GMT">
<cfset delete_cookie_ga=StructDelete(cookie,"_ga")>
<cfcookie name="_ga" value="0"expires="Thu, 01-Jan-70 00:00:01 GMT">
<!--- Redirect back to index page. --->
<!----<cflocation
url="/"
addtoken="false"
/>--->
<cfdump var=#cookie#>
Here is what I am getting:
Before I use that code.
Scope
_ga string GA###########
cfid string (random letters & numbers)
cftoken string 50
After I use that code I get:
Scope
_ga string 0
cfid string 0
cftoken string 50
This is me trying 2 different ways to get the job done.
However, after I run this and look at my cookies for my site, I still see the CFID with an expiration of 2045.
Your code works fine for manipulating the cookie values on Railo. It appears Railo is performing session management tasks after the code has completed, and is setting the cfid cookies back.
Even if you could change the cfid cookie value, the existing session would still exist. Those that can view the session with the cfid in a url would still be able to use the corresponding session until it naturally times out. To invalidate a session in Railo 4 or higher you can use the SessionInvalidate() function. This function will update the clients cfid, and force the current session to expire.
Without knowing more about your application, I’m unsure if invalidating the session will resolve the security issues you have been working on.