For testing I’ve built a small cookieless application. The application cookies are only set when needed and accepted by the user. That all worked perfectly,… for some time. Suddenly I saw cftoken/cfid being created. And they were created in a way the lucee admin does it (because cookie names of cftoken/cfid were all lowercase) . I’ve tackled down my code and couldn’t find anything wrong with my application.cfc. After some tests I’ve realized that an cfimage captcha generation was generating those cookies.
My finding is that when using cfimage in a way it uses the lucee/graph.cfm the Application.cfc of the lucee-context-folder is overriding the overall Application.cfc settings. As a test you can simply launch an empty application (with no Application.cfc), and have only one test.cfm with the follwing code:
<cfimage action="captcha" text="Captcha!" difficulty="medium" height="50" width="200" fontSize="18" fonts="Comic Sans MS,Times New Roman">
Then delete the browser cookies and call http://localhost:8888/test.cfm
This will silently create cookies caused by lucee/Application.cfc where the graph.cfm resides.
There is a workaround by writing the image file to a temporary directory, and loading the image from there without use of graph,cfm…
Wouldn’t it be better to have that graph.cfm placed somewhere it doesn’t clash with the apps Application.cfc settings? Should I file a bug?
Thanks and have a great day!!!