Session Management and Application.cfc glitch

I think I am on a roll this weekend! And I do not know how much of my previous errors I posted are related to this issue. A few months back I posted problem where the User Session would recreate itself on every page refresh. But not on some computers.

For instance, the dev pc I use would keep it’s session. But 2 other people who were testing my site ran into errors. When I got onto their machines and dumped the session, the sessionid would change with every refresh.

I tried setting Session Management from Memory to File
I went thru and clicked all the clear cache buttons I could find
I restarted Lucee
I restarted Tomcat
I restarted the Server.
I reset the Session Management back to Memory and I saw that the session on my dev machine did not change. It should have because I moved the management, no?
I went thru the Application.cfc thinking I had something weird in there. I cleared it all the way to (yes yes, it is still the old format, I will update it some day)

<cfcomponent displayname="Application" output="true" hint="Handle the application.">
	<cfset THIS.Name = "Example.com" />
	<cfset THIS.ApplicationTimeout = CreateTimeSpan( 0, 30, 0, 0 ) />
	<cfset THIS.sessionTimeout = CreateTimeSpan( 0, 30, 0, 0 ) /> 
	<cfset THIS.SessionManagement = true />
	<cfset THIS.SetClientCookies = false />

	<cfset THIS.defaultdatasource="mytable" />

   
    <cfset THIS.javaSettings = {
        loadPaths = [ expandPath('/libs/') ],
        reloadOnChange=true,
        watchInterval=600
    } />

    <cfset this.mappings['/authenticator'] = expandPath("/cfc/authenticator") />
    <cfset this.mappings['/spreadsheet'] = expandPath("/cfc/spreadsheet") />
	<!--- Define the page request properties. --->
	<cfsetting requesttimeout="20"	showdebug="no" enablecfoutputonly="no"	/>
</component>

And still the problem persisted. So I just loaded an empty Application.cfc and it complained there was no component… well I did delete it all. SO I added just the component part back and walla, the sessionid stopped changing after every refresh. My dev session also cleared out and loaded whatever Lucee’s Default Application settings are.

So, now that I fixed the problem, I need to know from someone who knows Lucee far better then I do, how to track down wtf just happened, when it happens again. Because it will. This is the 3rd time I can remember that it has happened.

Current Lucee specs (which are updated since last time this happened because of the new release of 7:

Lucee 7.0.2.106 
Apache Tomcat/11.0.13 
Java: 21.0.9 (Eclipse Adoptium) 64bit 

if you don’t set cookies, each request starts a new session???

Another err. from moving from OpenBlueDragon to Lucee. It handled Sessions different then Cookies, and I could still have Session Management without the cookie.

Which now explains a bit, because without the settings, a cookie is established. And Lucee continues to use that cookie regardless of that setting. And I started rebuilding this site before that setting was in. And the other people I had test never touched the site while cookies were off, so they never got an initial cookie.

Could this be a potential bug? As in Lucee still using that cookie even though it is off?

when enabled, cookies are only set on the first request, after that they are sent by the browser and lucee just reads them?

Yes. because that flag has been set shortly after I began my upgrade. And restarts, server reboots, etc. have never stopped my from working or I would have noticed the issue sooner (well I noticed before, which was from a cookie reset on the browser). The only reason I picked up on this issue is I use

csrfGenerateToken( forceNew = true );

During user creation. And I have created many users without issue on my dev pc. It was only when I had 2 other people testing the user creation that I saw the Session was being recreated when the page reloads.

So I assume once the cookie was saved from the 1st contact with the server, it was always used there after. The other 2 users I have testing have not had issues since, and that

<cfset THIS.SetClientCookies = false />

Is still active on the server. When I cleared the application.cfc they both refreshed and were able to test after I restored the application.cfc.

On a side note, this cookie setting would not affect websockets from accessing Application Variables would it?

I ask because once I got websockets working, when I returned the Application scope it was empty accept for some default variables and the one application variable I set during the test.