Are there any documentation on the differences in the cookies generated in Lucee apps compared to ColdFusion and why they are like this?
ColdFusion has CFAUTHORIZATION_<app_name>, but this is not present in Lucee.
Lucee has CF_CLIENT_<app_name> but this is not present in ColdFusion.
In the case of CFID and CFTOKEN, I’ve found the following:
|The case of the cookie names are uppercase - CFID, CFTOKEN||The case of the cookie names are lowercase - cfid, cftoken|
|CFID is a number||cfid is a uuid|
|CFTOKEN is a uuid||CFTOKEN is always set to 0|
|The cookies do not have an expiry date.||The cookies expire on a date.|
I’m asking this to know if there are any security concerns around cookies I need to adjust and if there is something further I should consider when testing applications.