New Release Candidate (

Release Candidate ( ) is available to download from our download page or via the Lucee Admin.


  • Lucee now uses https for all updates and downloads
  • xmlValidate supports passing multiple XSD files into the function
  • jsonValidate a new function to validate JSON, optionally using a JSON schema (via the optional extension “JSON”).

Same Site Cookies

Tormented by SameSite cookie warnings in your console? Enjoy!

sameSite (lax, strict, none) cookie options for <cfcookie> and session cookies.

via Application.cfc

this.sessionCookie.sameSite = "strict";
this.tag.cookie.sameSite = "strict";


<cfcookie name=”id” value=”#createUUID()” samesite=”strict”>

Bug fixes and improvements

Bug fixes and improvements in the code, the focus for the 5.3.7 sprint was stability and regressions, details in the tickets below.

Tickets addressed in this release cycle

LDEV-2889 - allow to use multiple xsd files with XMLValidate
LDEV-2860 - Error - Unable to resolve lucee.image.extension
LDEV-2857 - directoryDelete() can throw NPE
LDEV-2852 - Showing wrong result - using FindOneOf() Member function
LDEV-2834 - Admin-Update, seems has wrong if No upgrade/downgrade version
LDEV-2814 - Lucene and S3 extension get (re) deployed after each update
LDEV-2808 - Regression - Intermittent ClassNotFoundException exception when compiling
LDEV-2798 - Method code too large! after update from to
LDED-2791 - Can’t access plugins install at server level in context web admin
LDEV-2779 - NPE uninstalling an extensionLDEV-2655 - autocommit=true always set
LDEV-2654 - Floor() / Int() can round a number down to > 1 less than its value
LDEV-2651 - Scan deploy folder for extensions to install on startup
LDEV-2597 - createObject (“webservice”, …) broken since (SOAP v1.1)
LDEV-2578 - Reduce INFO logging
LDEV-2568 - CFCOOKIE - Incompatibility with ACF
LDEV-2558 - Extension management broken inside CommandBox CLI/JSR-233
LDEV-2533 - Status showing open - when using Fileclose()
LDEV-2524 - DeserializeJSON does not properly handle uppercase letters in basic multilingual plane values
LDEV-2505 - getFileInfo() is really slow
LDEV-2487 - QoQ and QuerySort don’t sort varchar columns correctly
LDEV-2312 - java.lang.Thread.State: BLOCKED at
LDEV-2288 - Lucee engine reset() kills current thread (regression)
LDEV-2277 - REGRESSION - createObject webservice WSDL error on generating token
LDEV-2158 - Query sorting ignores leading hyphen
LDEV-2061 - getting exception from release in Jetty Servlet engine
LDEV-1846 - CFDocument fails to produce pdf with lmdp locked error
LDEV-1506 - server and extension updates are insecurely downloaded over http
LDEV-1236 - Add SameSite-attribute to cfcookie


Our thanks goes to all Contributors for this release candidate:


If you encounter any regressions with this release candidate, please first post to the mailing list at, or raise a ticket with and the label “regression”, we will look into it with the highest priority.

Open Tickets flagged as regressions

Tickets assigned to the Next Sprint"NextSprint"


Looks like logging is totally broken : &

Any word on a release of this RC? It’s been a few months now.

Last I saw was a SNAPSHOT ( that broke CFMAIL, so who knows what is going on.

I dunno if the presence of a means is now abandoned ?

No, work on the new snapshot always begins at the same time that an RC is announced. I’ve also seen a stream of builds coming through to ForgeBox for the 5.3.8 snapshot, but 5.3.7 seems to have been forgotten about in terms of releasing it as a stable release.

Regarding the regression you mentioned above, is there a ticket in JIRA with the regression label for that? Also, depending on the error you’re seeing, there is also a known issue with CommandBox and CFMail on some of the later versions where the Javamail dependency was updated in Lucee and it conflicts with another jar. It’s an easy fix, but I’m not sure if it’s related to what you’re seeing or not.

1 Like

Logging: (not fixed) (fixed, but not for 5.3.7.x although found in
Mail “fix” discussion:

No, it’s not the CommandBox thing.


Thanks for adding the links. FWIW, the last one seems to have been broken since 5.3.3 so not a recent regression?

A quick RC2 is coming out soon, followed by a STABLE 5.3.7

Here are the code changes since the last RC

The latest snapshot is, please give it go! Any regressions since are the focus at this stage of the release process.

there are a few more bugs (including not being able to set samesite cookies as none) which will be addressed before RC2.

Lots more good stuff already in (which fixes the cfmail address parsing bug)


I’m confused.

What’s changed, in terms of bugs/features between the two RC ?
Hundreds of lines of Java diff are not helpful in answering that question.

1 Like

Here are the issues addressed since 5.3.7-RC1

make query cache optional

Hang: Log4JEngine: failed to stop thread. Conflict in same thread

Application.log missing

GetTagData should return the tag attributes in an ordered struct

add possibility to add a cpu/memory/concurrent request threshold for request timeout

add support for a private key with cflogin

The outstanding samesite cookie issues are

1 Like

Cheers, Zac - can you comment on ?

It sounds like writeLog(‘foo’) no longer works by default ?

It depends on how your logs are configured, should work out of the box IMHO

it’s messy coz lucee is also writing INFO to the log, which i guess prompted the change

Yes me, two , but seems like it’s been changed. Surely I don’t have to raise an issue to get a feature CFML has had since I started using Adobe CF 4.5 put back ?!?

So @Zackster can we hold the “STABLE 5.3.7” until all the logging regressions are fixed ?
/cc @bdw429s

Can we get a 5.3.7-RC2 Docker image for ease of testing ?
Or are the newish ** ** the same thing @justincarter ?

Contrary to comments in #LDEV-2990 writelog() still works as expected in 5.3.7 (using image above) but broken in 5.3.8 : #LDEV-3081

The builds should now be available on Docker Hub. The Lucee JARs should be the same as the builds from 15 days ago, but since this build is newer the main difference would be that the base Tomcat image could have some updates (JDK, Tomcat itself, etc).


A quick heads up for anyone testing the samesite stuff, the (and has my fixes regarding not sending samesite=“none”

2 Likes is now the final RC,