TechNote (Archived)

ColdFusion MX: Domain cookie not set when accessing site via IP address

Issue

When a site is accessed using its IP address in the URL andsetDomainCookies="Yes" is specified in thecfapplication tag, ColdFusion will not set a domain cookie. ColdFusion does not recognize an IP address as a domain name.

To determine the domain name whensetDomainCookies="Yes" is specified in acfapplication tag, ColdFusion MX first gets the J2EE request servername variable. This is the same as the CGI.SERVER_NAME variable in CFML. If this variable is "localhost" or is an IP address, including "127.0.0.1", the domain is null (i.e. no domain name). Otherwise, the substring starting with the first dot (.) in servername is used as the domain name. If there is no dot in the servername, the domain is null. When the domain is null, ColdFusion behaves as if setDomainCookies="No" for the request. When the domain is not null, ColdFusion sets the domain into the CFID cookie and also into the CFToken cookie. This is done by calling the J2EE methodjavax.servlet.http.Cookie.setDomain. If the variable is "localhost" or "127.0.0.1" or is not a domain name, ColdFusion will not set a domain cookie.

For example, a web browser does not know that 216.104.212.52 is equivalent to examples.macromedia.com. If a browser request is made to http://216.104.212.52, no cookie is sent from the browser to the server because the browser does not know that 216.104.212.52 is in the macromedia.com domain. The response from ColdFusion would contain a new CFID and CFToken. These cookies contain the domain name (domain=.macromedia.com) because the server knows its own name. The browser, however, will only use this CFID and CFToken pair when a request is sent to {anyname}.macromedia.com. It will not know to send this CFID and CFToken to 216.104.212.52.