More ColdFusion 9 Backwards Compatibility Issues: structClear()

In one web application running on ColdFusion 9, the logout mechanism uses structClear(cookie) to get rid of cookies holding client-side data related to a session. While using this method is probably not recommended, in the same way, and for the same reasons as not doing structClear(session), it doesn't throw an exception on ColdFusion 8. It does throw an exception in ColdFusion 9. Here's a little test case if you want to verify:

<cfcomponent extends="mxunit.framework.TestCase"> <cffunction name="setup" returntype="void" access="public" output="false"> <cfset variables.TEST_COOKIE_NAME = "mxUnitTest"/> </cffunction> <cffunction name="testScopeExists" returntype="void" access="public" output="false"> <cfset assertTrue(isDefined("cookie"), "The cookie scope should exist.")/> </cffunction> <cffunction name="testScopeClear" returntype="void" access="public" output="false"> <cftry> <cfset structClear(cookie)/> <cfcatch> <cfset fail("The cookie scope could not be cleared.")/> </cfcatch> </cftry> </cffunction> <cffunction name="testClearIndividuals" returntype="void" access="public" output="false"> <cfset var key = ""/> <cfloop list="#structKeyList(cookie)#" index="key"> <cfset structDelete(cookie, key)/> </cfloop> </cffunction> <cffunction name="testSetCookie" returntype="void" access="public" output="false"> <cfset var value = createUUID()/> <cfcookie name="#variables.TEST_COOKIE_NAME#" value="#value#"/> </cffunction> <cffunction name="testGetCookie" returntype="void" access="public" output="false"> <cfset assertTrue(structKeyExists(cookie, variables.TEST_COOKIE_NAME), "The test cookie could not be read.")/> </cffunction> </cfcomponent> <!-- vim: set tabstop=4 filetype=xml autoindent smartindent nowrap: -->

The best workaround would be to mimick testClearIndividuals() in the code above. This has the side effect of adding Set-Cookie HTTP headers to the response, with an expiration date in the past. In other words, upon the next request from the client, the cookie scope will be empty. Of course, the client can send any data it wishes in the Cookie HTTP header of the next request, so there's no gaurantee that the cookie scope will be clean. That makes sense, right?