Secure and HTTPOnly Cookies


Hi, Lucee seems to be setting client stat cookies that I need to make secure and HTTPOnly


How can I achieve this?



You should be able to configure this in your J2EE servlet container. In order to give you a more detailed answer we’ll need more details about your setup.

By way of example, in Tomcat, you can edit [lucee]/tomcat/conf/context.xml and change this:


to this

<Context useHttpOnly="true">


This doesn’t seem to be working on the 5.2.20

<Context useHttpOnly="true"> is set

these cookies are still not set to HTTPOnly and secure


Hi @mee_nothus,

Can you please add like this in your application.cfc.

this.sessioncookie={httponly=false, timeout=createTimeSpan(0, 0, 0, 10), secure=true,domain=""};

I hope this may be help for you.


From what I can see the session cookies (CFID,CFTOKEN) are httponly & secure when the client cookie is not. this.sessioncookie would not change this.
A workaround solution might be to disable the client scope or store the client cookie on the server instead (in memory or db).


The context config should change how cookies are delivered by Tomcat. In more recent versions, you may need to apply that config directly to the context config for each domain - I’m not certain.

If you’re proxying through a web server, you can configure your web server to also deliver the cookies securely. For example, in Apache you could add the following config (which requires mod_header):

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Hope this helps.


You might want to consider also adding SameSite=strict if you are going down this path.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Like many things, it’s not support yet on Safari, but all the major browsers already support it

Add SameSite-attribute to cfcookie

please vote for the issue if you think it’s a good idea.