when loginstorage is set to "cookie" the cookie generated by cflogin is simply base64 encoded, when you decode the cookie you see the user and if you know an other user name you can change that cookie and try to access the site with an other user.
Lucee should have the (optinal) option to encrypt that cookie with a private key, so it cannot be read unless you have that key.
we added the possibility to define a private key in the environment variable “lucee.loginstorage.privatekey“. if that variable not exists all works identical as in previous versions, but if it exist, that key will be used to encrypt the data.
We use Blowfish encryption (10 times), that is maybe not the most secure encryption, but the private key must not have the same length as the data we encrypt.
we also added salt