A client from us wants explicitly (Policy) a Session cookie that is cleared when the browser closes (BrowserSession). I was thinking this is a quick deal and changed the timeout to -1 like described in the documenttation.
this.sessioncookie = {
'timeout' = -1
} ;
But if I clear the browsers cookies and reload the page, the cookie is still set with a date (about 20 days as it seems).
debugging uses the session scope hence why sessions are created when enabled.
Looks like the -1 for browser session cookies isn’t supported yet (supported means there should be not expires attribute set in the Set-Cookie header)
Despite of what @Zackster already said, I have a working solution for you. Maybe I never came across the above mentioned bug, because I do some security stuff like session rotation and create the cfcookies manually.
The solution basically consists of setting setclientcookies to false, while having session.managment turned on. Because Lucee won’t set the cookies then, set the cookies with cfcookies without an expiration date when starting the request. This will create a cookie of expiration time “session”. Here is a working application.cfc:
component output="false" {
this.name="test" ;
this.sessionManagement = true ;
// set clientcookies to false to avoid Lucee setting the cookies
this.setclientcookies = false ;
this.sessionTimeout= CreateTimeSpan(0, 0, 15, 0);
//"function is fired at request
public boolean function onRequest( required string targetPage ) output=true {
// set the cookies as desired
cfcookie (
name="cftoken",
preserveCase=true,
value="#session.cftoken#",
httpOnly=true,
domain=cgi.HTTP_HOST,
secure=true,
sameSite = "strict" );
cfcookie (
name="cfid",
preserveCase=true,
value="#session.cfid#",
httpOnly=true,
domain=cgi.HTTP_HOST,
secure=true,
sameSite = "strict" );
include arguments.targetPage;
return true;
}
cfsetting( showdebugoutput="true") ;
}
Important note:
be carefully using the attribute “Domain” with cgi.HTTP_HOST, because cgi.HTTP_HOST may have a port, having unexpected effects. Your domain attribute won’t work when browsing with http://localhost:8888
make use of preserveCase attribute, otherwise you will have the session variables in upper case.
make sure you are on secure https connection because of secure=true
Thanks for your solution i was thinking (and did in some other applications) set the cookie myself. But because this is a security thing i wanted to rely on the Core language.
To your solution, doing this in the onRequest wouldn’t that mean that you set the cookie on every request? Usually if i set the cookie myself i did a if (structkeyexists(cookie,“cfid”)) first and set the cookie only if it dosent exist.
Are there any advantages if the cookie is set on every request?
I’m not an security expert. The example I gave is just showing a way to create those cookies with the expiration value of session. You can set those cookies in your application however it’s needed and adapt it to your requirements.
I personally like to use session rotation a lot, and I want that any possible change made in my cfml code with cfcookie to have an immediate effect to any subsequent request. If not, the cookie will keep preserved in the browser with an old setting as long as the session doesn’t expire. However, you can handle it the way you like or need, e.g. create it only when the user is going to login, or when no cookies are present in the request headers. You can move the logic as you like according to your needs. E.g. I have one app that creates those session cookies just when they are needed.