Why does my jsessionid cookie have .cfusion added to the end of the session ID?

Forum|Forum|11 years ago
October 1, 2014
2 replies
1621 views

I want to use J2EE session variables so I enabled them in the CF admin. I checked the jsessionid cookie value and noticed it had .cfusion at the end of the ID. Here is an example E3549E30AD31492B04FE7100331F28A0.cfusion

I really don't like having the CF Instance name added to the end of the session ID. Is this normal and how do I stop it from happening?

I'm using CF 10 with the latest updates and IIS 7.5.

This topic has been closed for replies.

M

Mike Collins_CF

Inspiring

It's your server name. If you create a new instance called 'bob' and you will have bob at the end of your jsessionid.

I believe it is used for for clustering and it also makes it easy to ID what server worked a request.

Mike

P

PhilBroAuthor

Known Participant

Had I known that this was going on when I made the move to CF10 I would have created a new instance named something less obvious. I'm sure someone had a great reason for this but I don't see how exposing ANY information about the underlying server is acceptable. I don't see this as being a bug but I do think this goes against security related best practices. I'm now rethinking my decision of moving to J2EE session variables.

Edit: After looking a little more I found out that this is controlled in the server.xml file. You can change jvmRoute in <Engine name="Catalina" defaultHost="localhost" jvmRoute="cfusion"> to anything you want or you can just leave it blank.

I changed mine to this and it hasn't caused any issue at all.

I wouldn't do this if you are running multiple instances, clusters, load balancing..... I would just set it to a value that means something to you but not anyone else.

BKBK

Community Expert

PhilBro wrote:

I don't see this as being a bug but I do think this goes against security related best practices.

The usual way to bring such a concern to the attention of the Coldfusion Team is to report it as a bug. A bug may not necessarily be a malfunction. It may just be a suggestion.

BKBK

Community Expert

It is 'normal': it is so, by design.

P

PhilBroAuthor

Known Participant

Ok. Am I the only one that doesn't like the thought of the instance name being used as part of the sessionid? I know it isn't that hard to finger print a server but do we really need to advertise that its CF and what instance the site is running under? Is there any way around this short of using CFID/CFToken?

BKBK

Community Expert

Even if you find a way to avoid the .cfusion, I doubt whether it will be an optimal solution. I think Coldfusion is hard-wired to expect the jsessionID cookie and the variable session.sessionID to have .cfusion at the end.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded