JSESSIONID cookie causes issue when session type = Application

Description

When a user has a JSESSIONID cookie, Lucee will use this (even if session type = application), causing sessions to be immediately invalidated. Also, you cannot expire a JSESSIONID cookie using cfcookie (no error, just leaves the cookie in the browser).

Backstory
We've recently migrated from ACF to Lucee and in ACF we had JEE sessions turned. However, since we're clustering and can't use JEE sessions in Lucee we've turned that off and use our db as the client store.

This works fine, unless a user had an active cookie in the ACF site prior to the cutover. In these scenarios the JSESSIONID cookie exists on the client, and it appears Lucee still tries to use it. When that happens our users cannot login because the session seems to immediately invalidate. If we manually delete the JSESSIONID cookie from the client, all is well. Since we have thousands of users that would have to call support to walk through the clear cookie process, we tried to use cfcookie to expire the JSESSIONID cookie. This would not expire/remove the cookie. We ended up having to drop in some JavaScript to delete the cookie, which worked, but is definitely a hack.

Workaround/Hackaround
Embed JavaScript that will delete the JSESSIONID cookie:

document.cookie = "JSESSIONID=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;";

Environment

None

Activity

Pothys - MitrahSoft 20 December 2024 at 14:38

, I have checked this ticket with the latest Lucee version 6.2.0.236-SNAPSHOT. When I tested the JSESSIONID cookie, it worked fine in JavaScript. Therefore, I am going to close the ticket. If the issue occurs in any scenario, we can reopen it.

Abram Adams 10 December 2024 at 23:15
Edited

I no longer have access to the code base in which we encountered this issue. I believe you can test by creating the JSESSIONID cookie in the browser and trying to persist something in the session scope. Using a quick test (courtesy of chatGPT & trycf), it seems that this may no longer be an issue.
TryCF Gist - Lucee 6 (note: Lucee6 on trycf is load balanced so the session.test will persist in different app scopes depending where it lands, but after running it several times it looks to be persisting the session)
TryCF Gist - Lucee5

Pothys - MitrahSoft 5 December 2024 at 09:34

any update?

Pothys - MitrahSoft 6 June 2024 at 13:25

5.3.7.47 is an older version. Could you please verify with the latest version of Lucee and report back here?

Fixed

Details

Assignee

Reporter

Priority

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Created 26 March 2021 at 21:36
Updated 20 December 2024 at 14:38
Resolved 20 December 2024 at 14:38