Friday, October 25, 2013

Case Sensitive Issue With Cookie In ColdFusion

Scenario: Few days back one of my colleague was working on a shopping cart project. Where they were setting some cookie by using JavaScript (client side ) and then trying to delete that cookie from server side.

Issue: After deleting the cookie each time it was assigning an empty string to that cookie but that cookie was present in cookie scope and in next request it was coming again.

To show the exact situation I wrote following piece of ColdFusion code:

First time, I run the code without any cookie I got following output.

As we see there is only two cookie in ColdFusion dump and also in Firebug( i.e, - CFID and CFTOKEN)
Then, I run following piece of JS code to set a cookie with name 'x'

document.cookie = 'x=test; expires=Fri, 25 Oct 2013 20:47:11 GMT; path=/';

CASE - 1:
Next, I run the ColdFusion code and I got following result:

  • First Line of ColdFusion code it just dumps cookie scope, where we can see our cookie in lower case with value “test”. 
  •  Next line, if cookie “x” exists then, show message “Inside if” and delete that cookie by setting expiry date as now and value empty string(“”).
  • Else show message “Inside Else”.
  • Dump cookie scope.
I run the same page multiple times I got same results, means my cookie is not getting deleted. If you notice the first cookie dump shows “x” in lower case and next cookie dump shows in upper case.

CASE - 2:

In second test case I cleared all my cookies and again run the following JS code to set the cookie.

document.cookie = 'X=test; expires=Fri, 25 Oct 2013 20:47:11 GMT; path=/';

Here, if you notice I have set cookie name in upper case. Then I run the ColdFusion code and I got the following result:

Here, if you will notice cookie name is in upper case in both the dump and in Fire bug cookie “X” is not available. Then, I refreshed the page and I got following result:

Ahhh. My cookie got deleted, means our target achieved.

Question: What was the problem in previous case why we were
unable to delete that when it was in lower case?


·         ColdFusion is case insensitive, means if we name variable  name as “x” and “X” both are  same for ColdFusion.
·         JavaScript is case sensitive, means variable “x” and “X” are different.

Code Explanation:
·         When our first if clause checks whether “x” exists in cookie or  not it always find it as ColdFusion case in sensitive but when it  sets to delete the code cookie “X”, we got following in HTTP  response header:

·         Here, ColdFusion send command to browser to delete cookie with name “X” by setting the expiry date as now.
·         Browser set the cookie “X” with expiry date as current time but the old cookie (“x”) is not affected by that activity.
·         In second dump ColdFusion overwrites “x” value by “X”, in server side only. But, cookie stored in client side, when we refresh the page “X” is deleted (as we set the expiry date as current time) and “x” is available. So, it again displays “x”.
·         When we set cookie name in upper case(X) by JavaScript, then ColdFusion can able to delete that value as I have already explained that how.

When setting cookie from client side be aware of the case sensitivity.


  1. I had this very problem today, and this is exactly the information I needed to solve it. Thanks for the help!

  2. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you need to watch this video
    right away...

    (VIDEO) Text Your Ex Back?