How do I prevent the cookies CFID and CFTOKEN from being set?

Meikelv · December 2, 2020, 12:22pm

How do I prevent the cookies CFID and CFTOKEN from being set?
I disabled:

Session Management,
Client Management,
Domain Cookies,
Client Cookies
in the Lucee web administrator and I have an application.cfm with the tag:

<cfapplication name="efactum QM-Portal"
	setclientcookies="false"
	clientmanagement="false"
	sessionmanagement="false"
	setdomaincookies="false">

But every time I start a cfm-file in the browser both cookies (CFID and CFTOKEN) are set.
OS:Windows Server 2012
Java Version: 1.8.0_242 (AdoptOpenJDK) 64bit
Tomcat Version: Apache Tomcat/8.5.11
Lucee Version: Lucee 5.3.7.47

Thank you

Michael

Zackster · December 2, 2020, 12:25pm

in the application.cfc constructor

this.setclientcookies=false;

Meikelv · December 2, 2020, 12:44pm

Hi Zac,
even if I write it to application.cfc instead of application.cfm the two cookies are always set.

Zackster · December 2, 2020, 1:48pm

even in an incognito/private browsing session? you’re seeing Set-Cookie headers?

there is a bug with threads setting cookies

https://luceeserver.atlassian.net/browse/LDEV-2954

Meikelv · December 2, 2020, 6:02pm

Hi, Zac,
I don’t use CFThread, it’s just a small html page where I once call a form in a cfm file which is sent by cfmail.
On this page the cookies cfid and cftoken are set.

andreas · December 6, 2020, 8:25pm

If you are using the settings above, there shouldn’t be a cookie created at all in your app. These are some possibilities:

Is it possible that you are accessing some other parts of your application that causes cookie creation? Try renaming your application.cfm/.cfc deactivating it for tests.
Check other directories for application.cfm/cfc files that may have cookies set to true.
Be also aware that accessing your Lucee/Web Adminsitrator will create those cookies. It may appear they are being created by your app. So if your are switching around configuring your app with the same browser you are making your dev browsing, you’ll see those cookies.
If you are creating some dyamic content like captchas with cfimage, it will create content and deliver the content from the “/lucee/graph.cfm”. I’ve seen them creating cookies also. These may be a cause.

Zackster · December 7, 2020, 10:45am

yup, that was the problem, we solved it in the task.

solution was to use ImageCaptcha() and write it out directly as a base64

Meikelv · December 7, 2020, 10:58am

Here the solution, which Zac showed me:

<cfscript>
	imagewritetobrowser(imagecaptcha( "abcdec", 100, 300, "low"));
	imagewritetobrowser(imagecaptcha( "abcdec", 100, 300, "medium"));
	imagewritetobrowser(imagecaptcha( "abcdec", 100, 300, "high"));
</cfscript>

Zackster · December 7, 2020, 12:42pm

here’s that task

https://luceeserver.atlassian.net/browse/LDEV-3172

bug filed

https://luceeserver.atlassian.net/browse/LDEV-3177