Using JsessionID without CFID and CFTOKEN in a Posted Form

Question

I'm stumped on this one, and I'm sure there's a simple explanation. Some of our code must be able to handle the possibility that we will have users with cookies disabled. Using jsessionid, manually setting cookies, everything works fine, but then I found, when passing jsessionid in urls, I'm unable to get CF to recognize jsessionid when it's included in the URL of an action attribute of a form with method="post". It seems to work fine tagging jsessionid on to URLs in cflocations, anchor tags, or including it as a hidden form field in a form with method="get". We're using CF 9.01 with J2EE session management enabled, IIS 7, and accessing an SSL encrypted domain. Disabled cookies in the browser.Using the example code below (for a file named test.cfm), the second and third options work as expected, but when using the "This is a post submit" button, the sesson breaks, despite the fact that the query string and the URL in the address bar are the same for all three. The only notable differences in CGI variables are the aformentioned request_method of "post" instead of "get" and a Content_Type of "application/x-www-form-urlencoded" instead of an empty string. And in other news, using the full session.urltoken with all three variables doesn't seem to help. I should note I haven't ever run into this problem using CFID and CFTOKEN in CFMX or in CF 9.01 without J2EE session management enabled.If anyone has any insight or can reproduce this result using the code below (saved to a file named test.cfm), please let me know. I'd be shocked if there wasn't a fairly pedestrian reason for it, and an easy fix. I've just been staring at this for too long. Now submitting: #sessionthinger#

This is an anchor link

DGH · Answer

Update:I've added a few scenarios to the test code below. More observations:When J2EE sessions are enabled and I'm testing with a browser that has cookies enabled, all scenarios work, so on the surface, the setclientcookies directive is being ignored where jsessionid is concerned. I'm testing this code in an isolated folder with a blank application.cfc file.When J2EE sessions are disabled and I'm testing with a browser that has cookies disabled, using session.urltoken instead of a jsessionid var in the URL works in all cases. The problem doesn't affect CF's traditional session managment.J2EE session management when cookies are disabled in the browser is working in all cases except where the jsessionid variable appears in the action attribute of a form with method="post". It's like CF or Java, whichever, isn't looking for the jsessionid in the URL for that particular request method. I should note, it isn't looking for a form variable, either- tried that. In fact, using a hidden form variable is the only way to make it work with a method="get" form request - you can't put it in the URL in that instance.Updated test.cfm code:Now testing:
#sessionthinger#
#session.urltoken#

This is an anchor link with full session.urltoken passed in the href query string

This is an anchor link with jsessionid passed in the href query string

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded