Lucee's CF Session cookies

Richard · July 1, 2021, 4:25pm

Are there any documentation on the differences in the cookies generated in Lucee apps compared to ColdFusion and why they are like this?

ColdFusion has CFAUTHORIZATION_<app_name>, but this is not present in Lucee.
Lucee has CF_CLIENT_<app_name> but this is not present in ColdFusion.

In the case of CFID and CFTOKEN, I’ve found the following:

ColdFusion	Lucee
The case of the cookie names are uppercase - CFID, CFTOKEN	The case of the cookie names are lowercase - cfid, cftoken
CFID is a number	cfid is a uuid
CFTOKEN is a uuid	CFTOKEN is always set to 0
The cookies do not have an expiry date.	The cookies expire on a date.

I’m asking this to know if there are any security concerns around cookies I need to adjust and if there is something further I should consider when testing applications.

Zackster · July 1, 2021, 4:30pm

The UUID is more secure than just a number (ACF)
in Lucee the CFTOKEN is always just 0, because of 1. (and for compatibility reasons with old ACF code)

Richard · July 1, 2021, 4:46pm

Thanks.
Why is CFTOKEN kept for compatibility reasons, but CFAUTHORIZATION_ isn’t?

CF_CLIENT_ cookies are “HttpOnly;SameSite=Strict”, is there anyway to set them as Secure as well?
CFAUTHORIZATION_ cookies are " Secure; HttpOnly;SameSite=Strict"