Prevent cookies CFID and CFTOKEN from being set

Knut · February 3, 2021, 2:52pm

I’m trying to migrate our main application piece by piece from ACF to Lucee. Unfortunately I run into problems here and there.

I’ve already read the post https://dev.lucee.org/t/how-do-i-prevent-the-cookies-cfid-and-cftoken-from-being-set/7684 but this was no solution for me, because there’s no creating of dyamic content like captchas with cfimage in our code.

I just want to use JEE sessions and set the following in the SERVER administrator:
Session Type = JEE
Session Management = Enabled
Client Management = Disabled
Domain Cookies = Disabled
Client Cookies = Disabled
Session Storage = Memory

Furthermore I have an Application.cfc with:
this.sessionType = “jee”;
this.sessionManagement = true;
this.clientManagement = false;
this.setDomainCookies = false;
this.setClientCookies = false;
this.sessionStorage = “memory”;

The cookies CFID and CFTOKEN are still set in the browser and I don’t know why.

Question:
Where (in which file) are the server admin settings saved?

I would expect, that the server admin settings are saved in the “/WEB-INF/lucee/context/Application.cfc” file.

Original content of “/WEB-INF/lucee/context/Application.cfc”:
component {
this.name = “lucee_context#server.lucee.version#”;
this.clientmanagement=“no”;
this.clientstorage=“file”;.
this.scriptprotect=“all”;
this.sessionmanagement=“yes”;
this.sessionStorage=“memory”;
this.sessiontimeout="#createTimeSpan(0,0,30,0)#";
this.setclientcookies=“yes”;
this.setdomaincookies=“no”;.
this.applicationtimeout="#createTimeSpan(1,0,0,0)#";
this.localmode=“update”;
this.web.charset=“utf-8”;
this.scopeCascading=“strict”;
}

The only workaround I’ve found is to edit the this file and set:
this.setclientcookies=“no”;

I doubt that this is the correct (or “planned”) way to disable the cookies CFID and CFTOKEN.
Any help would be appreciated.

Don’t forget to tell us about your stack!

OS: Debian 9.13 - Linux
Java Version: openjdk version “11.0.7” 2020-04-14
Tomcat Version: 9.0.35
Lucee Version: Lucee 5.3.8.139-RC

Zackster · February 3, 2021, 3:06pm

are they being set via headers in an incognito / wget / curl request?

andreas · February 3, 2021, 4:05pm

Let’s try to find out. I’d try the following:

Load the page that is creating the cookies and inspect the page with “Chromes DevTool” (by right clicking the page-> inspect)
Delete the cookies in the “Application” tab of the Chrome DevTool
Go to the “Network” tab and reload the page.
Check if you see some content being generated/loaded from the path “/lucee/…”. You can see something being loaded with a lucee path in the “Name” column.

If you see somewhere a path with the name lucee like “lucee/graph.cfm” or similar, that might be the cause that is generating these cookies.

If so, some dynamic content like cfimage is generating that but another dynamic content might be the cause of that also. Then I would try to identify the tags that could be generating these cookies. You can simply go through your code by setting cfabort gradually (step by step to a deeper part of your code), and look at which point they are being generated with Chromes DevTool.

Knut · February 3, 2021, 4:53pm

The only files that are loaded from the path “/lucee/…” are:
/lucee/core/ajax/JSLoader.cfc?method=get&lib=LuceeAjax
/lucee/formtag-form.cfm

There’s no use of dynamic content like cfimage in our code.

Looking in our FusionReactor monitoring I see, that the response header from “/lucee/core/ajax/JSLoader.cfc?method=get&lib=LuceeAjax” is the following:
Set-Cookie cfid=ca74469c-b2b7-4716-8ade-87778d37951f;Path=/;Expires=Tue, 23-Feb-2021 18:17:56 UTC;HttpOnly
Set-Cookie cfid=ca74469c-b2b7-4716-8ade-87778d37951f;Path=/;Expires=Tue, 23-Feb-2021 18:17:56 UTC;HttpOnly
Return-Format plain

I don’t understand where the set-cookie command comes from.
I assume, that the Lucee Server Admin does not save the settings properly.

Where does the Lucee Server Admin save its settings?
AND
Why can I only ommit the both cookies when I change the settings directly in the “/WEB-INF/lucee/context/Application.cfc” file to this.setclientcookies=“no”.

Zackster · February 3, 2021, 4:59pm

try dropping in an Application.cfc in under tomcat/lucee-server/context/library/tag/lucee/core/ajax

andreas · February 3, 2021, 5:37pm

The Lucee Server Admin saves its settings in
{path to lucee installation}/lucee-server/context/lucee-server.xml

But the settings of your Server Admin won’t make any effect on that, because these cookies seem to be generated by other core content that has an Application.cfc, similar like it happens with cfimage. Try doing what @Zackster suggested. That is what I would also try to do as a quick fix.

andreas · February 3, 2021, 5:40pm

I just did some tests and I’ve found out that the tag <cfform> is generating embedded content with cookies just like <cfimage> does.

Knut · February 3, 2021, 6:12pm

Thanks for your kind support Zac and Andreas.

I just did some tests and I’ve found out that the tag <cfform> is generating embedded content with cookies just like <cfimage> does.

Will this be corrected in the future in the Lucee code or do I have to do something?

@Zackster

try dropping in an Application.cfc in under tomcat/lucee-server/context/library/tag/lucee/core/ajax

What content should have the Application.cfc ???

andreas · February 3, 2021, 6:26pm

I’m sure that the Lucee team will address it, but I can’t really say when because I’m just a humble open source contributor and that is something the core team needs to decide. However, I think you can always address and sponsor the core team for urgent issues.

No, I’ve already commented that bug at Lucees bug tracker at [LDEV-3177] /lucee/graph.cfm doesn't need and shouldn't set session cookies - Lucee cross referencing your blog post.

If you can’t resolve it with @Zackster workaround, the other one would be considering to rewrite those <cfform>s, but I really don’t know how much of your effort that would need in your case.

Knut · February 3, 2021, 8:24pm

Sorry, but the workaround from @Zackster did not work.

The only workaround that works, is to edit the auto generated file “/WEB-INF/lucee/context/Application.cfc” in our web root and to change the value of “this.setclientcookies” from “yes” to “no”.

Thank you for your nice support.

I’m afraid that more questions will arise during the migration of our application to Lucee. I would then be very happy to receive further help.

Stay healthy.

carehart · February 10, 2021, 3:25pm

Knut, in case this becomes pressing and you can’t await a fix, note that you could try to remove the writing of the cfid/cftoken cookie header by way of a web server rewrite (assuming you really never want to written for any cfml request).

You don’t say if you are fronting Lucee with a web server like iis, apache, or nginx. If so, they all support that (a rewrite rule removing a header). If not, I even think the underlying tomcat web server can do it, if that’s what you are relying upon. Or is it something else, like perhaps commandbox and its undertow web server?

Knut · February 11, 2021, 11:33am

Hi Charly,

thank you for your answer and your suggestion for a possible workaround to rewrite the heades. However, I’ve already found a simple workaround that works well. I simply changed the value for “this.setclientcookies” temporarily from “Yes” to “No” in the “/WEB-INF/lucee/context/Application.cfc” file.

Yes, I’m fronting Lucee with apache and nginx (in proxy mode) in my enviroment.