Bug Report - sessioncookie struct doesn't seem to work as intended

Lucee, Windows server, IIS:

this.sessioncookie = { secure = true, samesite = 'lax' };

the ‘sessioncookie’ struct has no effect on any cookie settings. this.setdomaincookies = true sets the session’s domain, but setting this.sessioncookie.domain does nothing. The secure flag and samesite attribute are also not affected by the sessioncookie settings.

existing cookies? try incognito

No, I deleted my cookies before testing this repeatedly.

this one I can still reproduce.

@David_Anderson If possible, could you please share your test code to replicate this issue?



component  {

	this.name = "sessionCookieTest";
	this.applicationTimeout = createTimeSpan(1,0,0,0) ;
	this.sessionManagement = true ;
	this.clientManagement = false;
	this.sessionType = "cfml";
	this.sessionTimeout    = createTimeSpan(0,4,0,0) ;
	// this.setdomaincookies  = true ;
	this.sessioncookie = { domain = "test.localtest.me", sameSite = "lax" } ;


1 Like

what does the set-cookie header look like? samesite is only supported for https / localhost from memory?

The samesite supported with localhost domain

I deleted my cookies and reconfigured the site to use SSL and a proper host on a non-local domain. Neither the Secure flag nor the samesite attribute get set.