CSRFverifyToken() does not work when this.sessionCluster = true

Description

We are trying to use the CSRFverifyToken() method to validate our token form variable and with SessionCluster turned on it always comes back as false.

Environment

Windows 10 64 bit install

Debugging Information
Lucee (Neo) Os FINAL 4.5.3.009 (CFML Version 10,0,0,0)
Template /wwwroot/index.cfm (C:\workspace\wwwroot\index.cfm)
Time Stamp Mar 17, 2016 6:22 AM
Time Zone America/Chicago
Locale English (us)
User Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Remote IP 127.0.0.1
Host Name promotion.dev.local
Architecture 64bit

Activity

Show:

Michael Offner

September 8, 2020, 3:18 AM

Copy link to comment

Michael Offner

September 8, 2020, 3:19 AM

Copy link to comment

please give this change a try

Michael Offner

September 8, 2020, 3:45 AM

Copy link to comment

Pothys - MitrahSoft

September 10, 2020, 2:28 AM

Copy link to comment

,
I've checked this fix. It works fine and returns true with all conditions ( forcenew = true or false and sessioncluster = true or false ) for sessionstorage as datasource or memory.
But its return false if sessionstorage as ( cookie or file or cache name ) with both forceNew
and sessionCluster is True. If, any false means, it returns true.

Pothys - MitrahSoft

December 22, 2020, 2:13 AM

Copy link to comment

, I've checked this ticket with lucee version 5.3.8.129-SNAPSHOT. It returns true for all conditions ( forcenew = true or false and sessioncluster = true or false). But it returns false for sessionstroage as (cookie,file) with sessioncluster=true.