cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Is it possible to reset jsessionid?

genadi_mak
Explorer ,
Jun 06, 2018 Jun 06, 2018

Copy link to clipboard

Copied

Hi,

We have new requirement from security department to reset jsessionid after a user resets his password.

I tried to reset it with this statement <cfcookie name="jsessionid" value="#VARIABLES.RandomID##cookie.jsessionid#" domain="#REQUEST.Site.Domain#" httponly="true" secure="yes">

But, this created a second jsessionid.

CF2016

Thank you,

Gena

Views

1.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 5 Replies 5
latest latest Jump to latest reply
Dave Watts Community Expert
Community Expert ,
Jun 06, 2018 Jun 06, 2018

Copy link to clipboard

Copied

This cookie is set by Tomcat, not by CF really. It's a session cookie, and you can't just create a new one from CF. It uses a system-generated UUID, and you can't just put whatever value you want in there. You should be able to expire the current one with CFCOOKIE, though, and Tomcat will automatically set a new one on the following response to the request without a session cookie.

Dave Watts, Fig Leaf Software

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
genadi_mak
Explorer ,
Jun 06, 2018 Jun 06, 2018

Copy link to clipboard

Copied

In Response To Dave Watts

Hi Dave,

I did this

<cfcookie secure="yes" name="JSESSIONID" value="" domain="#REQUEST.Site.Domain#" expires="now" httponly="true">

Then, refreshed and the cookie did not change.

Thanks

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Jun 06, 2018 Jun 06, 2018

Copy link to clipboard

Copied

In Response To genadi_mak

I would try removing the VALUE attribute, and maybe all the other attributes except the EXPIRES attribute. If none of those combinations work, you might have to see how Tomcat controls this and look at changing the Tomcat configuration in its own configuration files (context.xml etc in /cfusion/runtime/conf).

Dave Watts, Fig Leaf Software

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Jun 06, 2018 Jun 06, 2018

Copy link to clipboard

Copied

In Response To Dave Watts

Actually, even better:

https://osric.com/chris/accidental-developer/2014/07/coldfusion-session-fixation-and-jsessionid/

Dave Watts, Fig Leaf Software

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Jun 16, 2018 Jun 16, 2018

Copy link to clipboard

Copied

LATEST

genadi_mak  wrote

We have new requirement from security department to reset jsessionid after a user resets his password.

Why get involved with the session apparatus every time users reset their password? Imagine having to tinker with the engine every time a driver gets in or out of a car! A neater solution is to decouple driver permission from the workings of the engine.

This analogy suggests one way to solve your problem.

1) Enable the use of JsessionId in the ColdFusion Administrator;

2) Use the cflogin framework - including cflogout - to log users in and out;

3) In Application.cfc, set the value of the loginStorage attribute to "session".

That's it. It is tight in security terms, and quite convenient, too. You don't have to worry about the sessionId.

When the user is logged in, then

  • session.cfauthorization_yourApplicationName exists
  • getAuthUser() returns the username (with which ColdFusion logged the user in, for example, by means of cfloginuser)
  • isUserLoggedIn() returns Yes

When the user is logged out, then

  • session.cfauthorization_yourApplicationName does not exist
  • getAuthUser() returns an empty string
  • isUserLoggedIn() returns No

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices