When using Application.setClientCookies=true and CFCOOKIE to set expiration for CFTOKEN/CFID, cookies are set twice

Description

When having the following application settings:

<cfcomponent displayname="Application" output="false" hint="Handle the applications">
<cfset THIS.Name = "cookietest" />
<cfset THIS.SessionManagement = true />
<cfset THIS.SetClientCookies = true />
<cfset this.sessiontimeout="#createTimeSpan(0,0,59,0)#">
....

Lucee will create cookies with values for cftoken/cfid in lower case along with default cookie attributes.

When there is a need to rewrite cookie attributes, example to set the cookie expiration to "session" with the following code:

<cfcookie name="cfid" value="#SESSION.CFID#" httpOnly="true">
<cfcookie name="cftoken" value="#SESSION.CFTOKEN#" httpOnly="true">

this will not overwrite the already existing cookies, but create new cookies with its names in upper case. This can be viewed by chromes devTool.

In the case of using cfcookies to change attributes of cftoken/cfid, it should:

Option 1: honour lower/upper case characters for CFCOOKIE, or
Option 2: THIS.SetClientCookies = true should also create CFTOKEN/CFID in uppercase, or
Option 3: the first created cookies in lowercase should be kept, but its attributes overwritten

This can be bypassed by setting <cfset THIS.SetClientCookies = false /> and then create all cookies with cfcookie. But having setClientCookies enabled and changing its cookie attributes with cfcookie programatically won't work.

Environment

Version: Lucee 5.3.3.62
Version: Name Gelert
Servlet Container: Apache Tomcat/9.0.11
Java: 1.8.0_202 (Azul Systems, Inc.) 64bit
OS: Windows 10 (10.0) 64bit

Status

Assignee

Michael Offner

Reporter

Andy Rueger

Labels

None

Affects versions

5.3.3.62

Priority

New
Configure