If you are using a cache provider for sessions in a cluster and an empty onSessionStart() method in Application.cfc, Lucee is storing the session in the cache with an eternal timeout or no timeout. I have confirmed this behavior with using our Redis extension. The timeouts in redis come in as -1.
However, we downgraded to Lucee 5.2.x and the issue disappeared. So somewhere between 5.3 this bug was introduced.
In your Application.cfc have something similar to what is shown below:
Notice that the onSessionStart() is empty. Then create a standalone page with NO session interaction:
If you hit this page then you will get an entry in redis with a -1 TTL
Scenarios that produce the TTL as -1
If you set ANY session variable within the life-cycle, then it sets the right timeout.
If you set ANY session variable in the onSessionStart() it sets the right timeout.
If you USE any session variables in the life cycle, then it sets the right timeout
If you USE any session variable in the onSessionStart() it sets the right timeout
However, if the onSessionStart() is empty an NO session vars are set, then the timeout goes to eternal and you can potentially fill up the caches with eternal sessions.
Another scenario that produces a -1 is if you set ANY session variables in the life-cycle and you run an sessionInvalidate() at the end of the request. This also creates an enternal entry in the cache with a -1 TTL.