Uploaded image for project: 'Lucee Development'
  1. LDEV-809

Add missing sessioncookie & authcookie attributes to cfapplication

    Details

    • Type: Incompatibility
    • Status: Deployed
    • Priority: New
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.0.1.34
    • Labels:
      None

      Description

      Currently the cfapplication is missing the attributes sessioncookie and authcookie meaning the developer has no control over the cookies set by cfapplication, see Adobe doc for details on attributes:

      https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html

      This would allow, for example a developer to set the cookie to a domain, be httpOnly, secure, etc... e.g.:

      <cfset cookiest = {httponly='true', timeout=createTimeSpan(0, 0, 0, 10), secure='true',domain=".domain.com"}> 
      <cfset cookieast = {timeout=createTimeSpan(0, 0, 00, 10)}> 
      <cfapplication name="sessionCookies_appcfm_allSetting" sessionmanagement="Yes" sessiontimeout="#createTimeSpan(0,0,03,0)#" scriptprotect="all" sessioncookie=#cookiest# authcookie=#cookieast#>
      

      Google Group discussion here:

      https://groups.google.com/forum/#!msg/lucee/f-HofCD_UeI/e-AMyFX2AAAJ

      This is also related to this change here:

      https://github.com/getrailo/railo/pull/314

      Which made CFID and CFTOKEN always be httpOnly cookies.

      Also some background on setting a cookie as secure:

      https://www.owasp.org/index.php/SecureFlag

        Attachments

          Activity

            People

            • Assignee:
              michaeloffner Michael Offner
              Reporter:
              andrew Andrew Dixon
            • Votes:
              8 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: