Lucee 6, changing some old defaults to be secure by default

After 25 years of always writing <cflocation url="" addtoken="false"> I’ve had enough

For Lucee 6.0, addToken should default to false, on security reasons. Lucee should not be throwing around your session by default, just coz CF did since the 90s

https://luceeserver.atlassian.net/browse/LDEV-3437

Lucee 6 is a chance for reasonable breaking changes

Any Objections?

12 Likes

No objection at all!!! Session-IDs in URL as default should have been banned from cflocation 20 years ago!!! Sometimes when I go through legacy code and apps, I still find random cflocated pages unnecessarily showing them. Sigh.

3 Likes

based on the overwhelming positive feedback to this proposal, it has been merged into 6.0.0.85

3 Likes

If you want to change the default right now or if have a code base quirky enough to keep things the way they were on Lucee 6:

You can also assign default values for any tag’s attributes using this.tag.tagname.attribute in Application.cfc.

this.tag.cfhttp.username = "system"; 
this.tag.log.file = "my-custom-log.log"; 
this.tag.cflocation.addtoken = false;
4 Likes

I also propose we change the default session configuration in Lucee 6

to be httpOnly = true and samesite = 'strict’

https://luceeserver.atlassian.net/browse/LDEV-3448

4 Likes

XML entities should be disabled by default too

https://luceeserver.atlassian.net/browse/LDEV-3451

Great improvements! Now, if Lucee could set server contex and web context to another place than their webroots as a security default, e.g. a users home directory or just like CommandBox beautifully does, that would be really, really, really awesome.

5 Likes

3 Likes

I’ve added a breaking-change label for things we are going to fix with 6.0

https://luceeserver.atlassian.net/issues/?jql=labels%20%3D%20"breaking-change"

always open to more suggestions!

3 Likes