Uploaded image for project: 'Lucee Development'
  1. LDEV-809

Add missing sessioncookie & authcookie attributes to cfapplication

    Details

    • Type: Incompatibility
    • Status: Deployed
    • Priority: New
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.0.1.34
    • Labels:
      None
    • Sprint:

      Description

      Currently the cfapplication is missing the attributes sessioncookie and authcookie meaning the developer has no control over the cookies set by cfapplication, see Adobe doc for details on attributes:

      https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html

      This would allow, for example a developer to set the cookie to a domain, be httpOnly, secure, etc... e.g.:

      <cfset cookiest = {httponly='true', timeout=createTimeSpan(0, 0, 0, 10), secure='true',domain=".domain.com"}> 
      <cfset cookieast = {timeout=createTimeSpan(0, 0, 00, 10)}> 
      <cfapplication name="sessionCookies_appcfm_allSetting" sessionmanagement="Yes" sessiontimeout="#createTimeSpan(0,0,03,0)#" scriptprotect="all" sessioncookie=#cookiest# authcookie=#cookieast#>
      

      Google Group discussion here:

      https://groups.google.com/forum/#!msg/lucee/f-HofCD_UeI/e-AMyFX2AAAJ

      This is also related to this change here:

      https://github.com/getrailo/railo/pull/314

      Which made CFID and CFTOKEN always be httpOnly cookies.

      Also some background on setting a cookie as secure:

      https://www.owasp.org/index.php/SecureFlag

        Attachments

          Activity

            People

            • Assignee:
              michaeloffner Michael Offner
              Reporter:
              andrew Andrew Dixon
            • Votes:
              8 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: