Change session cookie defaults to be secure in Lucee 6 (samesite=lax, httponly=true)

Description

I'm forever setting these defaults in my `Application.cfc`s

this.sessionCookie.httpOnly = true; // prevent access to session cookies from javascript this.sessionCookie.sameSite = "lax";

Lucee should be secure by default

Activity

Pothys - MitrahSoft 2 June 2023 at 05:43

I checked this ticket with lucee version 6.0.0.419-SNAPSHOT. Now default of session cookie is changed to "samesite=lax & httponly=true"

Zac Spitzer 26 May 2023 at 11:07

Fixed

Details

Assignee

Reporter

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Fix versions

Priority

Created 12 April 2021 at 15:21
Updated 25 February 2025 at 13:20
Resolved 2 June 2023 at 05:43