Change session cookie defaults to be secure in Lucee 6 (samesite=lax, httponly=true)

Description

I'm forever setting these defaults in my `Application.cfc`s

this.sessionCookie.httpOnly = true; // prevent access to session cookies from javascript
this.sessionCookie.sameSite = "lax";

Lucee should be secure by default

Linked work items

relates to

LDEV-4061

can't test j2ee sessions with internalRequest

LDEV-2900

adding to cookie scope doesn't inherit application cfcookie tag defaults

LDEV-5335

jee session cookies don't use session defaults

Activity

Zac Spitzer 25 February 2025 at 13:20

https://github.com/lucee/Lucee/commit/932888b8224b4fd5e28759d4f295c444104f18ab

this doesn’t work for jee session cookies https://luceeserver.atlassian.net/browse/LDEV-5335

Pothys - MitrahSoft 2 June 2023 at 05:43

I checked this ticket with lucee version 6.0.0.419-SNAPSHOT. Now default of session cookie is changed to "samesite=lax & httponly=true"

Resize issue view side panel

Fixed

Details

Assignee

Pothys - MitrahSoft

Reporter

Zac Spitzer

Labels

Lucee6breaking-changecookiessecuritysessionmanagement

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

None

Fix versions

6.0.0.413

Priority

New

Parent

LDEV-4534 All Breaking Changes in Lucee 6.0 (implemented / scheduled )

Created 12 April 2021 at 15:21

Updated 25 February 2025 at 13:20

Resolved 2 June 2023 at 05:43