Secure and HTTPOnly Cookies

Hi, Lucee seems to be setting client stat cookies that I need to make secure and HTTPOnly


How can I achieve this?


You should be able to configure this in your J2EE servlet container. In order to give you a more detailed answer we’ll need more details about your setup.

By way of example, in Tomcat, you can edit [lucee]/tomcat/conf/context.xml and change this:


to this

<Context useHttpOnly="true">

This doesn’t seem to be working on the 5.2.20

<Context useHttpOnly="true"> is set

these cookies are still not set to HTTPOnly and secure

Hi @mee_nothus,

Can you please add like this in your application.cfc.

this.sessioncookie={httponly=false, timeout=createTimeSpan(0, 0, 0, 10), secure=true,domain=""};

I hope this may be help for you.

1 Like

From what I can see the session cookies (CFID,CFTOKEN) are httponly & secure when the client cookie is not. this.sessioncookie would not change this.

A workaround solution might be to disable the client scope or store the client cookie on the server instead (in memory or db).

The context config should change how cookies are delivered by Tomcat. In more recent versions, you may need to apply that config directly to the context config for each domain - I’m not certain.

If you’re proxying through a web server, you can configure your web server to also deliver the cookies securely. For example, in Apache you could add the following config (which requires mod_header):

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Hope this helps.

You might want to consider also adding SameSite=strict if you are going down this path.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Like many things, it’s not support yet on Safari, but all the major browsers already support it

Add SameSite-attribute to cfcookie

please vote for the issue if you think it’s a good idea.


Twitter just posted this, they got all major browsers to support samesite, even IE11!

It looks to me like the Client cookies should abide by the same secure and httpOnly settings of sessionCookie, as @cfmitrah suggested.

Does anyone know how ACF handles that?


FYI: In Lucee and the Client Cookies settings are governed by this.sessionCookie, so = true;
this.sessionCookie.httpOnly = true;

Would now control the CF_CLIENT_APPNAME_XX cookies as well

This doesn’t seem to be working, did i miss something?

component {
	this.sessionmanagement = "yes";
	this.sessiontimeout = createTimeSpan(0,1,0,0); = true;
	this.sessionCookie.httpOnly = true;			

	onRequestStart = function(){
		echo("<h1>Cookie test</h1>");
		dump(var=server.lucee.version, label="lucee version");
		dump(var=cookie, label="cookie scope");
		dump(var=cgi.http_cookie, label="cgi.http_cookie");

outputs the following

1 Like