csrfGenerateToken() not functioning correctly in Lucee 7/Google Chrome

MiniFireDragon · January 18, 2026, 11:59pm

csrfGenerateToken() is not functioning correctly in Lucee 7 using Google Chrome. It works correctly in Firefox.

It also works correctly in Lucee 6 on both Firefox and Chrome.

Test:

<cfscript>
writeDump(csrfGenerateToken( forceNew = false ));
writeDump(csrfGenerateToken( forceNew = false ));
writeDump(csrfGenerateToken( forceNew = false ));
writeDump(csrfGenerateToken( forceNew = false ));
</cfscript>

What should happen: They all output the same result no matter how many times fresh is pushed on the browser button.

What is happening: In Google Chrome the numbers change on refresh. In Firefox, they do not.

Tested in Lucee 6, functions as it should.

Version Lucee 7.0.1.100
Loader Version 	7.0.0.395
Servlet Container 	Apache Tomcat/11.0.13
Java 	21.0.9 (Eclipse Adoptium) 64bit 
OS 	Linux (5.14.0-611.13.1.el9_7.x86_64) 64bit
Architecture 	64bit

MiniFireDragon · January 19, 2026, 1:47am

Actually, looking closer, it seems I cannot maintain a session with Google Chrome. Anyone know if there is a setting I may have activated that would do this? It works fine in Firefox, but nada in Chrome.

Everything is find in Lucee 6, just not 7.

MiniFireDragon · January 19, 2026, 2:07am

Ok, maybe someone can shed some light on this. I fixed it, but all I did was empty the application.cfc and restarted Lucee.

At this point it started working.

Then restored chunks of it at a time and by the time I fully restored the application.cfc, the problem never returned. So I do not know what was causing Chrome and Lucee to not talk to eachother.

Zackster · January 19, 2026, 12:27pm

so, stepping back it was a just session bug, nothing to do with CSRFGenerateToken() at all?

Can’t really debug your session handling issue without a working example

MiniFireDragon · January 19, 2026, 5:28pm

Correct, just a session bug.

Thinking back, I had this happen once before and it mysteriously went away.

As for session management, all I do at the moment is load DJ Springle’s SecurityService (Framework One is not used):

session.userObj = createObject( 'component', 'cfc.model.beans.User');
session.userAdminObj = createObject( 'component', 'cfc.model.beans.UserAdmin');

And set a couple Session Variables. I do cache the sessions though. I forgot about that until this morning, wondering why restarting Lucee did not clear the session.