Skip to main content
M
MrBentley083084
Participant
April 15, 2014
Question

How to configure ColdFusion5 to use J2EE session identifiers instead of CF_ID and CF_TOKEN?

  • April 15, 2014
  • 3 replies
  • 1161 views

How do I configure ColdFusion5 to use J2EE session identifiers of CF_ID and CF_TOKEN?  I have instructions on how to do this on ColdFusion9 from http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html. But when following these instuctions in ColdFusion5 the J2EE Session Variable option is not available.  Is this option in another place? or does this not exsist in ColdFusion5?  Please Help.

This topic has been closed for replies.

3 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
April 16, 2014

I hope the other posters have made it clear: the J2EE session identifier, that is, JSessionID, does not exist in ColdFusion 5. However, what do you need it for? You can actually solve the majority of session problems in ColdFusion 5 using CFID and CFToken.

M
MrBentley083084Author
Participant
April 16, 2014

@BKBK I need it to resolve a Nessus Finding.  Web Server Uses Non Random Session IDs, Nessus ID 31,657.



BKBK
Community Expert
BKBKCommunity Expert
Community Expert
April 16, 2014

There may be nothing for you to worry about. Nessus probably based its conclusion on just the CFID identifier, which is sequential. However, Coldfusion's session ID is random, as you would have found out when you followed the link in your original post.

The other Coldfusion session identifier, CFToken, is random. Hence, the session ID, which is the combination of CFID and CFToken, is random. Sequential + random = random.

S
Steve Sommers
Legend
April 15, 2014

J2EE is a Java session variable. ColdFusion 5 and below are not Java based so it is not available. We ported our application from CF5 to CF9 (now 10) without "too" much difficulty. The biggest issue we had was some custom CFX tags that we had to redesign/redevelop. If you don't use CFX tags, I would recommend giving CF10 or 11 a try -- if you care.

H
haxtbh
Inspiring
April 15, 2014

J2EE has only been available since Coldfusion MX (6).

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices