Lucee 5.3.10.120, Windows server, IIS:
this.sessioncookie = { secure = true, samesite = 'lax' };
the ‘sessioncookie’ struct has no effect on any cookie settings. this.setdomaincookies = true sets the session’s domain, but setting this.sessioncookie.domain does nothing. The secure flag and samesite attribute are also not affected by the sessioncookie settings.
existing cookies? try incognito
No, I deleted my cookies before testing this repeatedly.
this one I can still reproduce.
@David_Anderson If possible, could you please share your test code to replicate this issue?
Sure:
application.cfc:
component {
this.name = "sessionCookieTest";
this.applicationTimeout = createTimeSpan(1,0,0,0) ;
this.sessionManagement = true ;
this.clientManagement = false;
this.sessionType = "cfml";
this.sessionTimeout = createTimeSpan(0,4,0,0) ;
// this.setdomaincookies = true ;
this.sessioncookie = { domain = "test.localtest.me", sameSite = "lax" } ;
}

1 Like
what does the set-cookie header look like? samesite is only supported for https / localhost from memory?
The samesite supported with localhost domain
I deleted my cookies and reconfigured the site to use SSL and a proper host on a non-local domain. Neither the Secure flag nor the samesite attribute get set.
