After 25 years of always writing <cflocation url="" addtoken="false"> I’ve had enough
For Lucee 6.0, addToken should default to false, on security reasons. Lucee should not be throwing around your session by default, just coz CF did since the 90s
https://luceeserver.atlassian.net/browse/LDEV-3437
Lucee 6 is a chance for reasonable breaking changes
Any Objections?
No objection at all!!! Session-IDs in URL as default should have been banned from cflocation 20 years ago!!! Sometimes when I go through legacy code and apps, I still find random cflocated pages unnecessarily showing them. Sigh.
based on the overwhelming positive feedback to this proposal, it has been merged into 6.0.0.85
If you want to change the default right now or if have a code base quirky enough to keep things the way they were on Lucee 6:
You can also assign default values for any tag’s attributes using this.tag.tagname.attribute in Application.cfc.
this.tag.cfhttp.username = "system";
this.tag.log.file = "my-custom-log.log";
this.tag.cflocation.addtoken = false;
I also propose we change the default session configuration in Lucee 6
to be httpOnly = true and samesite = ‘strict’
XML entities should be disabled by default too
Great improvements! Now, if Lucee could set server contex and web context to another place than their webroots as a security default, e.g. a users home directory or just like CommandBox beautifully does, that would be really, really, really awesome.
I’ve added a breaking-change label for things we are going to fix with 6.0
https://luceeserver.atlassian.net/issues/?jql=labels%20%3D%20"breaking-change"
always open to more suggestions!
Indeed, many years ago I wrote my own UDF: LocationNoToken() 
