This is a question for you to answer. ColdBox supports the mode of being in debug mode or not. It does so, by placing a cookie on your browser so you can see the debugging panel only with that cookie set. The question is, how long should that cookie live? What should the expiration time be? Any suggestions?
Blog
Recent Entries
Introducing bx-jwt: Enterprise-Grade JSON Web Tokens for BoxLang 🔐
JWT authentication is everywhere. But rolling it correctly — with proper algorithm enforcement, key management, clock skew handling, JWE encryption, and zero security footguns — is anything but trivial. Today, we're shipping bx-jwt, a production-ready JWT/JWE module for BoxLang that handles all of it out of the box, so you can focus on building, not fighting cryptography.
Luis Majano
Luis Majano
May
22,
2026
What “Modernize or Die” Really Means in 2026
“Modernize or Die” is not about forcing teams into MVC, chasing trends, or rewriting every CFML application from scratch. It means making sure your applications, teams, and processes can survive the future: easier to maintain, test, secure, deploy, document, hire for, and evolve. In 2026, modernization is less about adopting the newest pattern and more about reducing business risk, protecting the value already built into your systems, and ensuring CFML applications remain credible, sustai...
Cristobal Escobar
Cristobal Escobar
May
22,
2026
Free Webinar: Making AI useful for CFML/Java developers in Real Applications with BoxLang!
AI is everywhere right now, but for many development teams, the biggest question is no longer “What is AI?” it’s “How do we actually use it in real applications in a secure, practical, and maintainable way?”
Maria Jose Herrera
Maria Jose Herrera
May
20,
2026
Add Your Comment
(4)
Feb 23, 2007 03:50:04 UTC
by Sana
Hi Luis,
I think 30 minutes, as sessions default expiry is 30 minutes, so this cookie should be 30 minutes expiry time.
Feb 23, 2007 07:29:14 UTC
by Dan Wilson
Luis,
Perhaps it could be left up to the user to clear the cookie when they have finished the debugging?
A link or a special URL perhaps to clear the cookie?
Dan
Feb 23, 2007 10:00:43 UTC
by reuben
I agree with Sana that the time out for a cookie should be defaulted to the session timeout. If you are working constantly on the site, the debug will last beyond 30 minutes. The big issue is that if you stop work and come back to the site, you don't always want debug still enabled. I think having it auto expire is a good thing.
Feb 23, 2007 10:24:47 UTC
by Luis Majano
Dan,
You can clear the cookie by just setting debugmode=false once you are done. But we all know that sometimes we are lazy and basically forget, like 90 year old brians!!
So an automatic timeout, would allow security and also peace of mind.
I think 30 minutes is reasonable. Any more suggestions.