Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Calling CFTHREAD Creates New JSESSIONID Cookie Even When Session Management Is Disabled

Description

Browser has no cookies.

*Application.cfc *

this.sessionManagement = false; this.setClientCookies = false;

If anywhere in your code you have:

thread { }

A JSESSIONID cookie is sent to browser.

Environment

None

Attachments

3
  • 09 Aug 2021, 09:49 pm
  • 09 Aug 2021, 09:15 pm
  • 26 Apr 2021, 03:26 pm

Activity

Show:

Pothys - MitrahSoft 7 March 2025 at 09:46

I have tested this ticket with Lucee version 6.2.1.48-SNAPSHOT. I checked the response after calling the cfthread with sessionManagement set to true and false. Now, the cookie is not created; it remains empty, and everything works fine.

Zac Spitzer 25 February 2025 at 14:44

Zac Spitzer 25 February 2025 at 13:23

Zac Spitzer 31 January 2025 at 16:15

Zac Spitzer 30 January 2025 at 21:40

ok, so it’s complicated, internalRequest doesn’t support jsessionId https://luceeserver.atlassian.net/browse/LDEV-5288 so it’s currently impossible (difficult) to test via tests

but I think the fix here is the same as https://github.com/lucee/Lucee/commit/ab6d39c2c967376a6c13919f0f2f9fd9295db3c1

which needs to be applied here

https://github.com/lucee/Lucee/blob/6.2/core/src/main/java/lucee/runtime/thread/ChildThreadImpl.java#L182

Fixed

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Parent

Sprint

Affects versions

Created 29 June 2020 at 20:26
Updated 7 March 2025 at 09:46
Resolved 2 August 2021 at 09:20