hi, is it possible to dynamically change the root of lucee using application.cfc? I have thought of this solution, but not so if it is the best way ...

// application.cfc
component {

  if( cookie.keyExists("snapshot") && cookie.snapshot.len() ){
    this.root = getDirectoryFromPath( getCurrentTemplatePath() );
    this.mappings["/"] = this.root & "../" & cookie.snapshot;
  }
  
  // ...
  
}

Also, I don't know how to deal with static assets (css/js/images) because those mapped in the application.cfc are not called

You mean webroot?

Yes 🙂

static assets is easy, just reference them all with a prefix from a session var. you need to tie this more to sessions than application, if you are running off cookies

Yes, imagine a malicious user who sets a cookie value of

../../../windows/system32/

static assets is easy, just reference them all with a prefix from a session var.

I don't think I understand. Can you give me an example? for example a CSS link inserted like this:

<link href="/css/bootstrap/bootstrap.min.css" rel="stylesheet" type="text/css">

it will be managed by the web server (IIS/apache/nginx) and will always refer to the root directory of the webserver and NOT to the one I set in

this.mappings["/"] = this.root & "../" & cookie.snapshot;

the biggest problem i see here is you are taking user provided paths into your app

Mine is just a simplified example to explain the problem. I will do all the security checks to improve the procedure.