After 25 years of always writing <cflocation url="" addtoken="false">
I’ve had enough
For Lucee 6.0, addToken should default to false, on security reasons. Lucee should not be throwing around your session by default, just coz CF did since the 90s
https://luceeserver.atlassian.net/browse/LDEV-3437
Lucee 6 is a chance for reasonable breaking changes
Any Objections?