I have a cookie that is being set by Microsoft ISA. I want to check that the cookie exists from ColdFusion, but the cookie isn't listed in the cookie scope. The page I'm trying to read the cookie value from is using HTTPS. Why can't I read the cookie? All the non-secure cookies are listed in the cookie scope.
+1
A:
If the domain value of the cookie was set by another domain then it can't be read by your web application.
It would be a security breach if www.attackerwebsite.com could read session cookies from www.yourbank.com.
jarofclay
2010-07-14 22:35:30
The cookie was set by my domain, so I should be able to read it.
stomcavage
2010-07-15 03:35:08
The domains must match exactly. E.g., two separate subdomains like `a.example.com` and `b.example.com` are incompatible, as are `example.com` and `a.example.com`.
Justice
2010-09-30 20:50:36
A:
I think I've found the problem. The cookie is created by the ISA server as httpOnly. Does that mean the only way to access the cookie is from the server it was created on?
stomcavage
2010-07-15 14:50:11
A:
The definitive answer: the ISA server sits between the client and the web server, and it grabs the cookie and doesn't let go. I can access the cookie through ColdFusion from any machine on the domain that is not behind the ISA server. So the solution I came up with was to get the cookie value through an JSONP AJAX call to another machine in the domain.
stomcavage
2010-09-30 20:19:56