How to overwrite CFID/CFTOKEN in ColdFusion 10?

Question

In order to logout an user, I always used the following lines:

<cfset structClear(SESSION)>
<cfcookie name="CFID" value="" expires="NOW">
<cfcookie name="CFTOKEN" value="" expires="NOW">

It clears the data kept in the session on runtime and resets/renews CFID and CFTOKEN. It does still work on our old server (ColdFusion 8), but it does no longer work on our new server (ColdFusion 10). The reason this attempt fails in ColdFusion 10 is rather simple: Whenever I try to overwrite CFID or CFTOKEN (with <cfcookie>), the cookie is placed on the top domain, e.g.:

Cookie set via <cfcookie> on ColdFusion 10:
domain: .myserver.com

while ColdFusion places its session cookies on the actual (sub)domain:

Generated CFID/CFTOKEN by ColdFusion 10:
domain: mywebsite.myserver.com

The funny thing is: If I set something like:

<cfcookie name="TEST" value="..." expires="NEVER">

the cookie is correctly set with:

domain: mywebsite.myserver.com

And I can easily clear the cookie using:

<cfcookie name="TEST" value="" expires="NOW">

I tried to use the domain property, but this:

<cfcookie name="CFID" value="" domain="mywebsite.myserver.com" expires="NOW">

always ends up as:

domain: .mywebsite.myserver.com

(notice the dot in front) and thus is not recognized as the same cookie.

Another strange thing is, that using:

<cfcookie name="CFID" value="" expires="NOW">

will not just generate a cookie with the wrong domain, but is kept instead of deleted as expired.

I checked the server settings for cookies on the ColdFusion 10 machine and the property Disable updating ColdFusion internal cookies using ColdFusion tags/functions is not checked.

Can anyone help me with this strange case?

Answer 1

In ColdFusion 10, you can use sessionInvalidate() to accomplish this. You will not need to worry about removing the cookies either.