How do I prevent the cookies CFID and CFTOKEN from being set?

How do I prevent the cookies CFID and CFTOKEN from being set?
I disabled:

  • Session Management,
  • Client Management,
  • Domain Cookies,
  • Client Cookies
    in the Lucee web administrator and I have an application.cfm with the tag:
<cfapplication name="efactum QM-Portal"

But every time I start a cfm-file in the browser both cookies (CFID and CFTOKEN) are set.
OS:Windows Server 2012
Java Version: 1.8.0_242 (AdoptOpenJDK) 64bit
Tomcat Version: Apache Tomcat/8.5.11
Lucee Version: Lucee

Thank you


in the application.cfc constructor


Hi Zac,
even if I write it to application.cfc instead of application.cfm the two cookies are always set.

even in an incognito/private browsing session? you’re seeing Set-Cookie headers?

there is a bug with threads setting cookies

Hi, Zac,
I don’t use CFThread, it’s just a small html page where I once call a form in a cfm file which is sent by cfmail.
On this page the cookies cfid and cftoken are set.

If you are using the settings above, there shouldn’t be a cookie created at all in your app. These are some possibilities:

  • Is it possible that you are accessing some other parts of your application that causes cookie creation? Try renaming your application.cfm/.cfc deactivating it for tests.
  • Check other directories for application.cfm/cfc files that may have cookies set to true.
  • Be also aware that accessing your Lucee/Web Adminsitrator will create those cookies. It may appear they are being created by your app. So if your are switching around configuring your app with the same browser you are making your dev browsing, you’ll see those cookies.
  • If you are creating some dyamic content like captchas with cfimage, it will create content and deliver the content from the “/lucee/graph.cfm”. I’ve seen them creating cookies also. These may be a cause.
1 Like

yup, that was the problem, we solved it in the task.

solution was to use ImageCaptcha() and write it out directly as a base64


Here the solution, which Zac showed me:

	imagewritetobrowser(imagecaptcha( "abcdec", 100, 300, "low"));
	imagewritetobrowser(imagecaptcha( "abcdec", 100, 300, "medium"));
	imagewritetobrowser(imagecaptcha( "abcdec", 100, 300, "high"));
1 Like

here’s that task

bug filed

1 Like