Issues

Databased sessions failing to update

remove support for loginStorage="cookie" and sessionStorage="cookie"

Implement Configurable CFID URL Parameter Usage Logging

Fix potential Race Condition in Session Scope Management

jee session cookies don't use session defaults

Session Data Not Available in Session (Type JEE) Scope

allow auto session rotate on unknown session cookie (disabled)

scopeContext.hasExistingCFSessionScope(pc) creates a session

CSRFVerifyToken, add an optional remove argument, default false

Session Management bugs

internalRequest never returns jsesssionId cookie

buffer set-cookie headers, to avoid duplicate set-cookie headers

sessionRotate() in onSessionStart() attaches onSessionEnd to old session, instead of the new one

add function sessionExists

reduce default session size

internalRequest always creates a session

regression: session and client expires indexes not being created with mssql server 2022

With database-stored sessions, the cf_sessions_data table is not cleaned automatically

reflect user-agent in cfid

add sessionCommit function

Database Session storage "lost" after some minutes

string lucee.runtime.exp.NativeException: lucee.runtime.type.dt.DateTimeImpl; local class incompatible:

applicationStop(). should close ORM sessions

sessionCookie settings missing from getApplicationMetadata

CFApplication update is destroying session variables when called occasionally.

default CFID expire time is only 20 days

improve exception when creating an index on cf_session_data fails

getApplicationSettings and getApplicationMetadata return application instead of cfml for sessionType

onSessionEnd() never triggered using SessionInvalidate()

onSessionEnd() never triggered using sessionRotate()

admin cookies should be scoped to the admin folder path

CFC instances in external cached session scope lose runtime mixins

Change session cookie defaults to be secure in Lucee 6 (samesite=lax, httponly=true)

cfid management

Large session value sizes when using external session cache

JSESSIONID cookie causes issue when session type = Application

Do not store empty session/client scope to storage

sessionRotate() doesn't copy CSRF tokens to new session

scope loading and storage is synchronized

Application.cfc shadow scope can consume lots of memory with in-memory sessions

onSessionEnd() is never triggered when using JEE sessions

cf_client_data and cf_session_data tables need an index on expires col

SessionInvalidate for JEE Sessions

Sessiontimeout ignored with J2EE sessions

Session/Client storage is limited to single access

Problems with External Session Storage

Lucee sessions are set with NO timeout when using an empty onSessionStart()

Nested struct keys are not persisted correctly with sessionStorage and sessionCluster = false

Session variables set after thread join are being lost - sessionCluster=true