When using Application.setClientCookies=true and CFCOOKIE to set expiration for CFTOKEN/CFID, cookies are set twice


When having the following application settings:

<cfcomponent displayname="Application" output="false" hint="Handle the applications">
<cfset THIS.Name = "cookietest" />
<cfset THIS.SessionManagement = true />
<cfset THIS.SetClientCookies = true />
<cfset this.sessiontimeout="#createTimeSpan(0,0,59,0)#">

Lucee will create cookies with values for cftoken/cfid in lower case along with default cookie attributes.

When there is a need to rewrite cookie attributes, example to set the cookie expiration to "session" with the following code:

<cfcookie name="cfid" value="#SESSION.CFID#" httpOnly="true">
<cfcookie name="cftoken" value="#SESSION.CFTOKEN#" httpOnly="true">

this will not overwrite the already existing cookies, but create new cookies with its names in upper case. This can be viewed by chromes devTool.

In the case of using cfcookies to change attributes of cftoken/cfid, it should:

Option 1: honour lower/upper case characters for CFCOOKIE, or
Option 2: THIS.SetClientCookies = true should also create CFTOKEN/CFID in uppercase, or
Option 3: the first created cookies in lowercase should be kept, but its attributes overwritten

This can be bypassed by setting <cfset THIS.SetClientCookies = false /> and then create all cookies with cfcookie. But having setClientCookies enabled and changing its cookie attributes with cfcookie programatically won't work.


Version: Lucee
Version: Name Gelert
Servlet Container: Apache Tomcat/9.0.11
Java: 1.8.0_202 (Azul Systems, Inc.) 64bit
OS: Windows 10 (10.0) 64bit


Michael Offner


Andreas R





Fix versions


Affects versions