I ran into an issue recently where I noticed that the “remember-me” cookie in Preside was only being saved in the browser as a session cookie.
After a lot of head scratching and experimentation, I came up with an explanation, which is more widespread that just Preside - it affects ANY Lucee website which runs through Cloudflare, and is down to how Lucee generates cookies, combined with new behaviour from Cloudflare.
When generating cookies with an expiry date, Lucee formats the date as a UTC date string.
This is wrong, according to the spec, which mandates that an HTTP date must be formatted as a GMT date string:
Although UTC and GMT are essentially the same, and the cookies are accepted by browsers without complaint, it appears that Cloudflare has recently introduced cookie validation filters which will strip out the Expires attaribute if it doesn’t conform to the spec (this is an assumption based on my testing).
The result of this is that all cookies generated by Lucee with a UTC expiry date will be downgraded to session cookies, which could cause all sorts of issues.
I’ve raised this as LDEV-5584, but thought it would be useful to post in here to make people aware of the issue. We also have a fix within Preside that we’ll roll out shortly which manipulates the cookie expiry at the last minute before returning a response.