But every time I start a cfm-file in the browser both cookies (CFID and CFTOKEN) are set. OS:Windows Server 2012 Java Version: 1.8.0_242 (AdoptOpenJDK) 64bit Tomcat Version: Apache Tomcat/8.5.11 Lucee Version: Lucee 188.8.131.52
If you are using the settings above, there shouldn’t be a cookie created at all in your app. These are some possibilities:
Is it possible that you are accessing some other parts of your application that causes cookie creation? Try renaming your application.cfm/.cfc deactivating it for tests.
Check other directories for application.cfm/cfc files that may have cookies set to true.
Be also aware that accessing your Lucee/Web Adminsitrator will create those cookies. It may appear they are being created by your app. So if your are switching around configuring your app with the same browser you are making your dev browsing, you’ll see those cookies.
If you are creating some dyamic content like captchas with cfimage, it will create content and deliver the content from the “/lucee/graph.cfm”. I’ve seen them creating cookies also. These may be a cause.