I had this code in my application.cfc:
this.tag.cflocation.addtoken = false;
and then in onRequestStart:
if (needsLogin) {
location(loginUrl);
}
It redirected to my login page, but with ?CFID=xxx&CFTOKEN=yyy
added.
At first I thought that the tag default setting was just not working, but after some experimentation I found that if I called it like this:
location url=loginUrl;
It worked fine (no token added to URL)
This seems to have something to do with the handling of the myriad ways a tag can be called from cfscript… “cf” prefix or not, parentheses or not, named params or not, and param assignment operator(param=value or param: value).
There doesn’t seem to be any guide as to what syntax you can use for what tags, so I tested out some variations and I found these results:
location(url=login); // bad: CFID/CFTOKEN added to url
location(url:login); // bad
location(login); // bad
location url=login; // good: clean url
cflocation(url=login); // good
cflocation(url:login); // good
cflocation(login); // syntax error
cflocation url=login; // syntax error
Kind of a confusing set of results, as far as what syntax is allowed…
Anyhow, it seems that whenever calling location
using function() syntax and no “cf” prefix, it ignores the addtoken = false default setting.
As an aside, I’m wondering why I even need this setting. Why is cflocation
defaulting to addtoken = true
in the first place? We recently ported our app over from a really old version of BlueDragon, which never added any tokens. I talked to another Lucee developer, and he seemed to think this behavior was odd as well. He claims Lucee doesn’t do this by default on his sites.
I can’t think of a situation where I would ever want to add a token to a redirected url, since it’s used as the session ID and only causes security problems for shared urls.
So… not sure if this is an actual bug, or just an artifact of the somewhat inconsistent tag syntax in cfscript. I’d love to hear from anybody with more Lucee/CF experience in general.
Thanks,
-Partap
Same results on 2 systems:
OS: Windows 2019 Server
Java Version: OpenJDK 11.0.3
Tomcat Version: 9.0.19
Lucee Version: 5.3.5.92
OS: MacOS 10.15.2
Java Version: 13.0.2
Tomcat Version: 9.0.11
Lucee Version: 5.3.6.61