CSRFverifyToken() does not work when this.sessionCluster = true

Description

We are trying to use the CSRFverifyToken() method to validate our token form variable and with SessionCluster turned on it always comes back as false.

Environment

Windows 10 64 bit install

Debugging Information
Lucee (Neo) Os FINAL 4.5.3.009 (CFML Version 10,0,0,0)
Template /wwwroot/index.cfm (C:\workspace\wwwroot\index.cfm)
Time Stamp Mar 17, 2016 6:22 AM
Time Zone America/Chicago
Locale English (us)
User Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Remote IP 127.0.0.1
Host Name promotion.dev.local
Architecture 64bit

Activity

Show:
Michael Offner
September 8, 2020, 3:18 AM

Michael Offner
September 8, 2020, 3:19 AM

please give this change a try

Michael Offner
September 8, 2020, 3:45 AM

Pothys - MitrahSoft
September 10, 2020, 2:28 AM

,
I've checked this fix. It works fine and returns true with all conditions ( forcenew = true or false and sessioncluster = true or false ) for sessionstorage as datasource or memory.
But its return false if sessionstorage as ( cookie or file or cache name ) with both forceNew
and sessionCluster is True. If, any false means, it returns true.

Pothys - MitrahSoft
December 22, 2020, 2:13 AM

, I've checked this ticket with lucee version 5.3.8.129-SNAPSHOT. It returns true for all conditions ( forcenew = true or false and sessioncluster = true or false). But it returns false for sessionstroage as (cookie,file) with sessioncluster=true.

Fixed

Assignee

Pothys - MitrahSoft

Reporter

Ken John

Priority

Major

Labels

Fix versions

Sprint

5.3.8 Sprint 3

Affects versions