Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

sessionRotate() doesn't copy CSRF tokens to new session

Description

We are currently using Lucee 5.3.6.68.

We are migrating from Adobe CF to Lucee.

Configuration
<cfset THIS.SessionManagement = true />
<cfset THIS.ClientManagement = true />
<cfset THIS.LoginStorage = "session" />
<cfset THIS.setClientCookies = true />

Issue
sessionRotate() changes the previously generated CSRF Token, so csrfVerifyToken() is now always false.

Reproduce

  1. We login

  2. We generate a CSRF Token with csrfGenerateToken() we set it to a session variable (to later be referenced).

  3. Invoke sessionRotate()

  4. Return a form page and add csrf token we previously generated

  5. Invoke csrfVerifyToken (as we did in Adobe ColdFusion), which returns false

Expected

Invoke csrfVerifyToken, should be true

Workaround

Replace session variable with csrfGenerateToken(<key>, false)

Please may we know, why this behavior differs between Adobe ColdFusion and Lucee? or maybe we have misconfigured something?

Environment

None

Attachments

1

Activity

Show:

Pothys - MitrahSoft 14 February 2025 at 11:30

I tested this ticket with Lucee version 6.2.1.25-SNAPSHOT. When I checked the csrfVerifyToken() function for the generated token after the sessionRotate(), It now transfers the CSRF token to the new session, and it works fine in the latest version of Lucee.

Zac Spitzer 11 February 2025 at 13:43

include a new sessionStoragePro interface

Zac Spitzer 30 January 2025 at 23:30

Pothys - MitrahSoft 4 March 2021 at 11:43

I attached a test case. With ACF2021 and ACF18, and lucee the latest version 5.3.8.149-SNAPSHOT in commandbox. Yes, CSRFGenerateToken() pass in ACF2021 and ACF18 commandbox only. But lucee fails in both commandbox and lucee express.

Rilwan 4 March 2021 at 09:47

We have ACF11 and ACF18 in production, they don’t have this issue, we have only experienced this in Lucee.

Fixed

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Parent

Sprint

Affects versions

Created 3 March 2021 at 12:20
Updated 14 February 2025 at 11:30
Resolved 14 February 2025 at 11:30