Add missing sessioncookie & authcookie attributes to cfapplication

Description

Currently the cfapplication is missing the attributes sessioncookie and authcookie meaning the developer has no control over the cookies set by cfapplication, see Adobe doc for details on attributes:

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html

This would allow, for example a developer to set the cookie to a domain, be httpOnly, secure, etc... e.g.:

Google Group discussion here:

https://groups.google.com/forum/#!msg/lucee/f-HofCD_UeI/e-AMyFX2AAAJ

This is also related to this change here:

https://github.com/getrailo/railo/pull/314

Which made CFID and CFTOKEN always be httpOnly cookies.

Also some background on setting a cookie as secure:

https://www.owasp.org/index.php/SecureFlag

relates to

Activity

AJM 12 June 2017 at 00:18

on Lucee 4.5 web admin, when setting Session Type, the options are 'cfml' and 'j2ee'
(as shown here http://docs.lucee.org/reference/tags/application.html)

on Lucee 5.2 web admin they are 'application' and 'jee'

are these changes deliberate?

Andrew Dixon 24 September 2016 at 11:40

- At this stage I believe 4.5 is only receiving security patches and not new features, however I'm sure if you look through the commit the Micha has put in the comment above you might be able to backport it to 4.5 and submit a pull request.

Sid Wing 10 August 2016 at 15:51

I have to echo Clemens question...

Former user 10 August 2016 at 15:44

Wunderful. But is there any way to get the fix for version 4.5.x?

Michael Offner 2 August 2016 at 15:34

Fixed

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Fix versions

Priority

Created 5 April 2016 at 19:34
Updated 16 May 2023 at 06:56
Resolved 10 August 2016 at 15:33