Lucee Session Cookie

Hello

A client from us wants explicitly (Policy) a Session cookie that is cleared when the browser closes (BrowserSession). I was thinking this is a quick deal and changed the timeout to -1 like described in the documenttation.

this.sessioncookie = {
    'timeout' = -1
  } ;

But if I clear the browsers cookies and reload the page, the cookie is still set with a date (about 20 days as it seems).

I stripped it down to a blank Test Application.

Application.cfc

component output="false" {

  this.name="test" ;
  this.sessionManagement = true ;
  this.setclientcookies = true ;

  this.sessioncookie = {
    'httpOnly'  = true,
    'Secure'  = true ,
    'domain' = cgi.HTTP_HOST,
    'timeout' = -1,
    'sameSite' = "strict"
  } ;

  cfsetting( showdebugoutput="true") ;

}

If i run this application i get the following Response:

< HTTP/2 200
< server: nginx/1.14.1
< date: Wed, 22 Sep 2021 08:45:57 GMT
< content-type: text/html;charset=UTF-8
< content-length: 54245
< set-cookie: cfid=186d6e33-cb33-4e10-855c-71529b80c771;Path=/;Domain=test.xxx.lan;Expires=Tue, 12-Oct-2021 10:24:01 UTC;Secure;HttpOnly;SameSite=Strict
< set-cookie: cftoken=0;Path=/;Domain=test.xxx.lan;Expires=Tue, 12-Oct-2021 10:24:01 UTC;Secure;HttpOnly;SameSite=Strict

What am i doing wrong with the timeout value, is there another value i have to put there?

The other strange thing: If i turn debugging off no cookie at all is sent.

Im using Lucee (Gelert) Os 5.3.8.201 (CFML Version 2016,0,03,300357)

sessions are only created if you use them, as per this comment.

https://luceeserver.atlassian.net/browse/LDEV-2422?focusedCommentId=44731

debugging uses the session scope hence why sessions are created when enabled.

Looks like the -1 for browser session cookies isn’t supported yet (supported means there should be not expires attribute set in the Set-Cookie header)

despite what the docs say

can you file a bug?

Despite of what @Zackster already said, I have a working solution for you. Maybe I never came across the above mentioned bug, because I do some security stuff like session rotation and create the cfcookies manually.

The solution basically consists of setting setclientcookies to false, while having session.managment turned on. Because Lucee won’t set the cookies then, set the cookies with cfcookies without an expiration date when starting the request. This will create a cookie of expiration time “session”. Here is a working application.cfc:

component output="false" {

    this.name="test" ;
    this.sessionManagement = true ;

    // set clientcookies to false to avoid Lucee setting the cookies
    this.setclientcookies = false ;

    this.sessionTimeout= CreateTimeSpan(0, 0, 15, 0);
  
    
    //"function is fired at request
	public boolean function onRequest( required string targetPage ) output=true {
        
        // set the cookies as desired

        cfcookie ( 
           name="cftoken",
           preserveCase=true,
           value="#session.cftoken#",
           httpOnly=true,
           domain=cgi.HTTP_HOST,
           secure=true,
           sameSite = "strict" );

        cfcookie ( 
            name="cfid",
            preserveCase=true,
            value="#session.cfid#",
            httpOnly=true,
            domain=cgi.HTTP_HOST,
            secure=true,
            sameSite = "strict"  );


        include arguments.targetPage; 
        return true;
    }

    cfsetting( showdebugoutput="true") ; 

}

Important note:

  • be carefully using the attribute “Domain” with cgi.HTTP_HOST, because cgi.HTTP_HOST may have a port, having unexpected effects. Your domain attribute won’t work when browsing with http://localhost:8888
  • make use of preserveCase attribute, otherwise you will have the session variables in upper case.
  • make sure you are on secure https connection because of secure=true

Hello Zackster,

Thanks for your quick Reply!

I never filed a Ticket can everyone just file a bug?

Rolf

Hello Andreas,

Thanks for your solution i was thinking (and did in some other applications) set the cookie myself. But because this is a security thing i wanted to rely on the Core language.

To your solution, doing this in the onRequest wouldn’t that mean that you set the cookie on every request? Usually if i set the cookie myself i did a if (structkeyexists(cookie,“cfid”)) first and set the cookie only if it dosent exist.

Are there any advantages if the cookie is set on every request?

Rolf

Hi Rolf,

I’m not an security expert. The example I gave is just showing a way to create those cookies with the expiration value of session. You can set those cookies in your application however it’s needed and adapt it to your requirements.

I personally like to use session rotation a lot, and I want that any possible change made in my cfml code with cfcookie to have an immediate effect to any subsequent request. If not, the cookie will keep preserved in the browser with an old setting as long as the session doesn’t expire. However, you can handle it the way you like or need, e.g. create it only when the user is going to login, or when no cookies are present in the request headers. You can move the logic as you like according to your needs. E.g. I have one app that creates those session cookies just when they are needed.

sure can, all you need to do is create an account and then you can file a bug

https://luceeserver.atlassian.net/jira