Copy link to clipboard
Copied
How do I configure ColdFusion5 to use J2EE session identifiers of CF_ID and CF_TOKEN? I have instructions on how to do this on ColdFusion9 from http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html. But when following these instuctions in ColdFusion5 the J2EE Session Variable option is not available. Is this option in another place? or does this not exsist in ColdFusion5? Please Help.
Copy link to clipboard
Copied
J2EE has only been available since Coldfusion MX (6).
Copy link to clipboard
Copied
J2EE is a Java session variable. ColdFusion 5 and below are not Java based so it is not available. We ported our application from CF5 to CF9 (now 10) without "too" much difficulty. The biggest issue we had was some custom CFX tags that we had to redesign/redevelop. If you don't use CFX tags, I would recommend giving CF10 or 11 a try -- if you care.
Copy link to clipboard
Copied
I hope the other posters have made it clear: the J2EE session identifier, that is, JSessionID, does not exist in ColdFusion 5. However, what do you need it for? You can actually solve the majority of session problems in ColdFusion 5 using CFID and CFToken.
Copy link to clipboard
Copied
@BKBK I need it to resolve a Nessus Finding. Web Server Uses Non Random Session IDs, Nessus ID 31,657.
Copy link to clipboard
Copied
There may be nothing for you to worry about. Nessus probably based its conclusion on just the CFID identifier, which is sequential. However, Coldfusion's session ID is random, as you would have found out when you followed the link in your original post.
The other Coldfusion session identifier, CFToken, is random. Hence, the session ID, which is the combination of CFID and CFToken, is random. Sequential + random = random.
Copy link to clipboard
Copied
I still recommend migrating/upgrading to CF10 and using JSessionID instead of CFID/CFToken. Technically BKBK is correct, while CFID is sequential, CFToken is random and they work together to link the session, BUT scanners don't understand this and you have to fight the "false positive" battle on every quarterly scan. Trust me, it gets old after a while. Often times when making your argument to your ASV you'll get a CF familiar person on the other end and the battle will be nothing more than saying: "hey, ColdFusion". But sometimes though you'll get someone who does not have a clue what CF is and does not believe anything out of your mouth which will result in a multi-day/week battle with him or her and/or supervisors. We used CF5 up until about 4 years ago so I am very familiar with the battles and I'm so glad we migrated!
Copy link to clipboard
Copied
I agree with Steve, you should plan on upgrading CF if you are trying to achieve PCI compliance. If I recall correctly the cftoken in CF5 is just a random number, that will not provide enough entropy to constitute a session identifier, even when combined with the sequential cftoken. Also because CF5 is not supported by adobe, any security issues found in it or that may exist will not be patched.