After converting cookies to HTTPonly, IE drops sessions after redirect from iFrame

Question

Yeah, this ought to be fun.

I'm working on a site that was built in Fusebox 5.5 and uses an iFrame. I was recently tasked with converting the site to Application.cfc and setting cookies we're using for google indexing on the site to HTTPonly as described here: http://www.petefreitag.com/item/764.cfm. The application is running on CF8.

The problem I'm running into is after a user logs into the site, the session data is set after the login process then a fuse is triggered to load the home page which contains a 'frame-buster' function to break the site out of the inner iframe for login and load the main page. When this executes, IE drops the session and as the rest of the page loads, another check occurs that discovers the session is missing and forces a redirect back to the home page. Each javascript redirect is creating a new session when used in IE. This issue is not occuring in Firefox or Chrome.

This is the frame-buster function, triggered as an onLoad in the body tag:

    function changeParentLocation() 
{
    if (top != self) {
        self.location.href = <cfoutput>"#Application.rootdir#"</cfoutput>;
        top.location.replace(self.location.href);
    }
}

This is the onSessionStart function:

<cffunction name='onSessionStart' access='public' returntype='void' output='false'>
    <cfheader name="P3P" value="CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'" />
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=.my.sites.subdomain/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=.my.sites.subdomain/;HTTPOnly">

    <!---<cfcookie name="CFTOKEN" domain=".my.sites.subdomain" value="#Session.CFTOKEN#" />
    <cfcookie name="CFID" domain=".my.sites.subdomain" value="#Session.CFID#" />--->
</cffunction>

If I comment out the HTTPOnly cookies and use the CFCookie code that's currently commented out instead, IE does not attempt to create multiple sessions.

Answer 1

This does not occur if you properly set your coldfusion application up to have setClientCookies to be false. It must actually be a boolean false, and not a text value that would otherwise translate to false. In other words:

<cfscript>
    this.name = applicationname;
    this.sessionmanagement = true;
    this.sessiontimeout = '#CreateTimeSpan(0,12,0,0)#';
    this.clientmanagement = true;
    this.setClientCookies = false;
    FUSEBOX_APPLICATION_PATH = '';
</cfscript>

Works. But:

<cfscript>
    this.name = applicationname;
    this.sessionmanagement = 'true';
    this.sessiontimeout = '#CreateTimeSpan(0,12,0,0)#';
    this.clientmanagement = 'true';
    this.setClientCookies = 'false';
    this.specChar = '[!|@|##|$|%|^|&|*|<|>|?|\|/|[|]|{|}|=|~|`|(|)]';
    FUSEBOX_APPLICATION_PATH = '';
</cfscript>

Does not.