How to configure ColdFusion5 to use J2EE session identifiers instead of CF_ID and CF_TOKEN?

Report · Apr 15, 2014

How do I configure ColdFusion5 to use J2EE session identifiers of CF_ID and CF_TOKEN? I have instructions on how to do this on ColdFusion9 from http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html. But when following these instuctions in ColdFusion5 the J2EE Session Variable option is not available. Is this option in another place? or does this not exsist in ColdFusion5? Please Help.

Report · Apr 15, 2014

J2EE has only been available since Coldfusion MX (6).

Report · Apr 15, 2014

J2EE is a Java session variable. ColdFusion 5 and below are not Java based so it is not available. We ported our application from CF5 to CF9 (now 10) without "too" much difficulty. The biggest issue we had was some custom CFX tags that we had to redesign/redevelop. If you don't use CFX tags, I would recommend giving CF10 or 11 a try -- if you care.

Report · Apr 16, 2014

I hope the other posters have made it clear: the J2EE session identifier, that is, JSessionID, does not exist in ColdFusion 5. However, what do you need it for? You can actually solve the majority of session problems in ColdFusion 5 using CFID and CFToken.

Report · Apr 16, 2014

@BKBK I need it to resolve a Nessus Finding. Web Server Uses Non Random Session IDs, Nessus ID 31,657.

Report · Apr 16, 2014

There may be nothing for you to worry about. Nessus probably based its conclusion on just the CFID identifier, which is sequential. However, Coldfusion's session ID is random, as you would have found out when you followed the link in your original post.

The other Coldfusion session identifier, CFToken, is random. Hence, the session ID, which is the combination of CFID and CFToken, is random. Sequential + random = random.

Report · Apr 16, 2014

I still recommend migrating/upgrading to CF10 and using JSessionID instead of CFID/CFToken. Technically BKBK is correct, while CFID is sequential, CFToken is random and they work together to link the session, BUT scanners don't understand this and you have to fight the "false positive" battle on every quarterly scan. Trust me, it gets old after a while. Often times when making your argument to your ASV you'll get a CF familiar person on the other end and the battle will be nothing more than saying: "hey, ColdFusion". But sometimes though you'll get someone who does not have a clue what CF is and does not believe anything out of your mouth which will result in a multi-day/week battle with him or her and/or supervisors. We used CF5 up until about 4 years ago so I am very familiar with the battles and I'm so glad we migrated!

Report · Apr 16, 2014

I agree with Steve, you should plan on upgrading CF if you are trying to achieve PCI compliance. If I recall correctly the cftoken in CF5 is just a random number, that will not provide enough entropy to constitute a session identifier, even when combined with the sequential cftoken. Also because CF5 is not supported by adobe, any security issues found in it or that may exist will not be patched.