Lucee Session Type Bugs

Harry_Klein · February 22, 2019, 8:28am

I have some Lucee “session type” questions:

According to the documention here “Application.cfc Code Examples and CFML Documentation” session type values can be “cfml” and “j2ee”

According to the documention here “Application.cfc / <cfapplication> :: Lucee Documentation” the session type values can be “cfml” and “jee”

If I expand the session type information in the Lucee admin I get the following information
this.sessionType = "jee";
or
this.sessionType = "application";

This is really frustrating, I guess the correct information is the one provided in the Lucee Admin?

Another gotcha:
If I enable sessionType “application” in the Lucee Admin and open one CF app with sessionType “application” I get 2 cookies: cfid, cftoken
This is fine

If I enable sessionType “jee” in the Lucee Admin and open one CF app with sessionType “application” I get 3 cookies:
JSESSIONID,cfid, cftoken

Imho this is a bug, why is the Lucee Admin setting overriding the app setting?

Julian_Halliwell · February 22, 2019, 10:04am

I always configure session management in my Application.cfc using

this.sessionManagement = true;
this.sessionType = "J2EE";
this.setClientCookies = false;

This results in just the jsessionid session-only cookie being sent.

Are you sure the cfid/cftoken cookies you’re seeing aren’t persistent ones set before you changed to “j2ee”?

Harry_Klein · February 22, 2019, 11:13am

Yes, I normally use jee sessions too - but if I want to store sessions into a cache or db this is not possible with Lucee. I have to switch to sessionType “application” (or cfml?).

I guess your sessionType should be “jee” and not “j2ee”?

Yes, I cleared all the cookies before my tests and tested a lot of times - so I am sure that my cookies are newly set by Lucee.

Julian_Halliwell · February 22, 2019, 11:41am

When I switched to using jsessionid cookies several years ago the value given was “j2ee”. But Lucee will accept both (and also just “j” apparently).

Do you have this.setClientCookies = false;? If I remove that line then I’m also seeing cfid/cftoken cookies being set, even when this.sessionManagement = false;

Zackster · February 22, 2019, 1:00pm

Be aware CSRF functionality is broken with J2EE sessions, it’s the top voted bug in jira…

https://luceeserver.atlassian.net/browse/LDEV-412

Julian_Halliwell · February 22, 2019, 1:42pm

According to the Lucee source you can use any of the following:

"j2ee", "jee", "j"
"application", "cfml", "cfm", "c"

Harry_Klein · February 22, 2019, 2:56pm

Thanks for the information about the sessionType values, I guess we should update the cfdocs.org documentation.

Regarding "setClientCookies " - please see my test results.
Imho the application sessionType should overrule the sessionType defined in the Lucee administrator, so it looks like a bug to me:

<cfcomponent output="false">
	<cfprocessingdirective suppresswhitespace="true">

	<cfscript>
	this.name = "sessiontest";
	this.loginStorage = "session";
	this.sessionManagement = true;

	// 1) Lucee admin session type = "jee"
	this.sessionType = "application";
	this.setClientCookies = false;
	// -> Cookies:
	// "JSESSIONID", Expires 1969-12-31T23:59:59.000Z, HTTP checked

	// 2) Lucee admin session type = "jee"
	this.sessionType = "application";
	this.setClientCookies = true;
	// -> Cookies:
	// "JSESSIONID", Expires 1969-12-31T23:59:59.000Z, HTTP checked
	// "cfid", Expires 2019-03-14T16:09:04.788Z, HTTP checked
	// "cftoken", Expires 2019-03-14T16:09:04.788Z, HTTP checked
	</cfscript>

	</cfprocessingdirective>
</cfcomponent>

Harry_Klein · February 25, 2019, 7:19am

What do you think, should I create a ticket in Jira?

fs8972 · August 12, 2021, 3:10pm

Did you ever get an answer? Did you ever figure this out?