Lucee's CF Session cookies

Are there any documentation on the differences in the cookies generated in Lucee apps compared to ColdFusion and why they are like this?

ColdFusion has CFAUTHORIZATION_<app_name>, but this is not present in Lucee.
Lucee has CF_CLIENT_<app_name> but this is not present in ColdFusion.

In the case of CFID and CFTOKEN, I’ve found the following:

ColdFusion Lucee
The case of the cookie names are uppercase - CFID, CFTOKEN The case of the cookie names are lowercase - cfid, cftoken
CFID is a number cfid is a uuid
CFTOKEN is a uuid CFTOKEN is always set to 0
The cookies do not have an expiry date. The cookies expire on a date.

I’m asking this to know if there are any security concerns around cookies I need to adjust and if there is something further I should consider when testing applications.

  1. The UUID is more secure than just a number (ACF)
  2. in Lucee the CFTOKEN is always just 0, because of 1. (and for compatibility reasons with old ACF code)

Why is CFTOKEN kept for compatibility reasons, but CFAUTHORIZATION_ isn’t?

CF_CLIENT_ cookies are “HttpOnly;SameSite=Strict”, is there anyway to set them as Secure as well?
CFAUTHORIZATION_ cookies are " Secure; HttpOnly;SameSite=Strict"