Anyone have a working example of the line of code ...
# cfml-generala
alholden
01/24/2025, 2:09 AMAnyone have a working example of the line of code one needs to add in order to set the CFTOKEN and CFID cookies with a SameSite attribute of 'Strict' or even 'Lax'?
Adobe's example is for the <cfapplication> tag, which we do not use.
Here are some versions we tried at the top of our Application.cfc function, under all the
this.Namethis.ApplicationTimeout<cfset this.authcookie = {samesite = 'Strict'} /><cfset authcookie = {samesite = 'Strict'} /><cfset this.authcookie.samesite = 'Strict' /><cfset authcookie.samesite = 'Strict' />e
Erin Brewer
01/24/2025, 2:14 AMi don't have one, but would try setting using a struct in your examples above
i.e.
Copy code
{samesite:'Strict'}a
alholden
01/24/2025, 2:28 AMGood catch, although I'm just working off their own doc here
e
Erin Brewer
01/24/2025, 2:36 AMgood point
Erin Brewer
01/24/2025, 2:37 AMare you using ACF or Lucee and what version?
a
alholden
01/24/2025, 3:32 AMACF 2021,0,15,330303
alholden
01/24/2025, 3:37 AMFWIW, I tried your suggestion like this, it didn't work either after restarting the service.
<cfset this.authcookie = {samesite:'Strict'} />e
Erin Brewer
01/24/2025, 3:37 AMinternet search says you can use GetCookie function to get the CFID and CFTOKEN cookies and then declare them again with samesite prop, ex:
Copy code
<cfscript>
// Set CFID cookie
cookie.CFID = GetCookie("CFID"); // Retrieve the existing value if set
SetCookie(
name="CFID",
value=cookie.CFID,
httponly=true,
secure=true,
samesite="Strict"
);
// Set CFTOKEN cookie
cookie.CFTOKEN = GetCookie("CFTOKEN"); // Retrieve the existing value if set
SetCookie(
name="CFTOKEN",
value=cookie.CFTOKEN,
httponly=true,
secure=true,
samesite="Strict"
);
</cfscript>Erin Brewer
01/24/2025, 3:38 AMdoing that in onRequestStart or similar
a
alholden
01/24/2025, 3:38 AMHmmm, so everyone else knows that Adobe's full of crap on this one?
I'm SHOCKED! š
e
Erin Brewer
01/24/2025, 3:39 AMlol, we do what we gotta do
a
alholden
01/24/2025, 3:40 AMYep. I'll just add this to my list of "reasons to Lucee" that I give to clients.
I appreciate you jumping in tho, thanks.
e
Erin Brewer
01/24/2025, 3:41 AMit takes a village, your welcome, hopefully that works.
(ya i was on ACF for the first 10 years, lucee for the last 10)
a
aliaspooryorik
01/24/2025, 8:45 AM
Isn't authcookie for
cfloginaliaspooryorik
01/24/2025, 8:49 AM
I think you want
this.sessioncookie.samesitecfidcftokenaliaspooryorik
01/24/2025, 8:52 AM
Or you can do it from the "Session Cookie Settings" page in the administrator if I recall correctly
aliaspooryorik
01/24/2025, 8:54 AM
Also if you find bad documentation (the struct vs strict issue you mentioned) then post in the #C0BSK7P2T room and Adobe will fix it
aliaspooryorik
01/24/2025, 9:00 AM
š 1
b
BK BK
01/26/2025, 5:38 PMI found the following 4 possibilities in the Adobe ColdFusion documentation:
(1) Samesite setting In the so-called pseudo-constructor area of Application.cfc:
<!--- CFAuthorization cookie: this.authcookie is a struct with possible keys currently 'disableUpdate', 'timeout', 'samesite' ---><cfset theAppAuthCookie=structNew()><cfset theAppAuthCookie.samesite="strict"> <!--- Options: Strict, Lax or None ---><cfset this.authCookie=theAppAuthCookie><!--- Session cookie: this.sessioncookie is a struct with possible keys currently 'disableUpdate', 'timeout', 'httponly', 'secure', 'domain', 'samesite' ---><cfset theAppSessionCookie=structNew()><cfset theAppSessionCookie.timeout=createTimeSpan(0, 1, 0, 0)><cfset theAppSessionCookie.samesite="strict"> <!--- Options: Strict, Lax or None ---><cfset this.sessionCookie=theAppSessionCookie><!--- Authorization cookie ---><cfset theAppAuthCookie = {samesite='strict'}> <!--- Options: Strict, Lax or None ---><!--- Session cookie ---><cfset theAppSessionCookie.httponly=true><cfset theAppSessionCookie.timeout=createTimeSpan(0, 1, 0, 0)><cfset theAppSessionCookie.samesite="strict"> <!--- Options: Strict, Lax or None ---><cfapplicationname="theApp"sessionManagement="yes"authCookie=theAppAuthCookiesessionCookie=theAppSessionCookie><cfcookie name="cookieName" samesite="strict"> <!--- Samesite options: Strict, Lax or None ---><Context><!-- Either the sameSiteCookies attribute is not set, or else it is set with value none, lax or strict --><CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict"/></Context>a
aliaspooryorik
01/27/2025, 8:30 AM
Are people still using Application.cfm? That was deprecated in (I think) ColdFusion 7 - that's 20 years ago!
b
BK BK
01/27/2025, 9:14 AM Copy code
@aliaspooryorik: Are people still using Application.cfm?a
aliaspooryorik
01/27/2025, 9:15 AM
Sadly, I'm probably not surprised - it's more a feeling of eye roll š š¤¦ !
e
Erin Brewer
01/27/2025, 4:03 PMi work on an active codebase that is that old - none of the other engineers ever saw any compelling reason to change it
a
aliaspooryorik
01/27/2025, 4:04 PM
any compelling reason to change it You answered your own question though - an active codebase š If it's an active project it should be maintained (which includes modernisation, regressions tests etc as well as new features), simple as that
aliaspooryorik
01/27/2025, 4:11 PM
I think most CFers work on a codebase that was originally created by a Stegosaurus, when I joined we had zero unit tests, we now have over 3,000. I've recently done a lot of work to switch it to ColdBox - this is so that we can tap in the ColdBox eco-system and also things like async processing etc which has helped with security, auditing, maintainability, stability and performance.
2 Views