I’m trying to migrate our main application piece by piece from ACF to Lucee. Unfortunately I run into problems here and there.
I’ve already read the post https://dev.lucee.org/t/how-do-i-prevent-the-cookies-cfid-and-cftoken-from-being-set/7684 but this was no solution for me, because there’s no creating of dyamic content like captchas with cfimage in our code.
I just want to use JEE sessions and set the following in the SERVER administrator:
Session Type = JEE
Session Management = Enabled
Client Management = Disabled
Domain Cookies = Disabled
Client Cookies = Disabled
Session Storage = Memory
Furthermore I have an Application.cfc with:
this.sessionType = “jee”;
this.sessionManagement = true;
this.clientManagement = false;
this.setDomainCookies = false;
this.setClientCookies = false;
this.sessionStorage = “memory”;
The cookies CFID and CFTOKEN are still set in the browser and I don’t know why.
Question:
Where (in which file) are the server admin settings saved?
I would expect, that the server admin settings are saved in the “/WEB-INF/lucee/context/Application.cfc” file.
Original content of “/WEB-INF/lucee/context/Application.cfc”:
component {
this.name = “lucee_context#server.lucee.version#”;
this.clientmanagement=“no”;
this.clientstorage=“file”;.
this.scriptprotect=“all”;
this.sessionmanagement=“yes”;
this.sessionStorage=“memory”;
this.sessiontimeout="#createTimeSpan(0,0,30,0)#";
this.setclientcookies=“yes”;
this.setdomaincookies=“no”;.
this.applicationtimeout="#createTimeSpan(1,0,0,0)#";
this.localmode=“update”;
this.web.charset=“utf-8”;
this.scopeCascading=“strict”;
}
The only workaround I’ve found is to edit the this file and set:
this.setclientcookies=“no”;
I doubt that this is the correct (or “planned”) way to disable the cookies CFID and CFTOKEN.
Any help would be appreciated.
Don’t forget to tell us about your stack!
OS: Debian 9.13 - Linux
Java Version: openjdk version “11.0.7” 2020-04-14
Tomcat Version: 9.0.35
Lucee Version: Lucee 5.3.8.139-RC