Are there any documentation on the differences in the cookies generated in Lucee apps compared to ColdFusion and why they are like this?
ColdFusion has CFAUTHORIZATION_<app_name>, but this is not present in Lucee.
Lucee has CF_CLIENT_<app_name> but this is not present in ColdFusion.
In the case of CFID and CFTOKEN, I’ve found the following:
ColdFusion | Lucee |
---|---|
The case of the cookie names are uppercase - CFID, CFTOKEN | The case of the cookie names are lowercase - cfid, cftoken |
CFID is a number | cfid is a uuid |
CFTOKEN is a uuid | CFTOKEN is always set to 0 |
The cookies do not have an expiry date. | The cookies expire on a date. |
I’m asking this to know if there are any security concerns around cookies I need to adjust and if there is something further I should consider when testing applications.