Bug Report - sessioncookie struct doesn't seem to work as intended

David_Anderson · May 15, 2023, 4:29pm

Lucee 5.3.10.120, Windows server, IIS:

this.sessioncookie = { secure = true, samesite = 'lax' };

the ‘sessioncookie’ struct has no effect on any cookie settings. this.setdomaincookies = true sets the session’s domain, but setting this.sessioncookie.domain does nothing. The secure flag and samesite attribute are also not affected by the sessioncookie settings.

Zackster · May 15, 2023, 5:52pm

existing cookies? try incognito

David_Anderson · May 15, 2023, 6:13pm

No, I deleted my cookies before testing this repeatedly.

David_Anderson · May 15, 2023, 8:52pm

this one I can still reproduce.

cfmitrah · May 16, 2023, 9:38am

@David_Anderson If possible, could you please share your test code to replicate this issue?

David_Anderson · May 16, 2023, 1:25pm

Sure:

application.cfc:

component  {

	this.name = "sessionCookieTest";
	
	this.applicationTimeout = createTimeSpan(1,0,0,0) ;
	this.sessionManagement = true ;
	this.clientManagement = false;
	this.sessionType = "cfml";
	this.sessionTimeout    = createTimeSpan(0,4,0,0) ;
	// this.setdomaincookies  = true ;
	this.sessioncookie = { domain = "test.localtest.me", sameSite = "lax" } ;
}

Zackster · May 16, 2023, 1:52pm

what does the set-cookie header look like? samesite is only supported for https / localhost from memory?

cfmitrah · May 16, 2023, 3:30pm

The samesite supported with localhost domain

David_Anderson · May 16, 2023, 4:00pm

I deleted my cookies and reconfigured the site to use SSL and a proper host on a non-local domain. Neither the Secure flag nor the samesite attribute get set.