Skip to main content
WolfShade
WolfShade
Legend
October 4, 2017
Question

JSESSIONID changing on every click, refresh, form submit, etc.

  • October 4, 2017
  • 1 reply
  • 6848 views

Hello, all,

My boss is working on an addition to our site that has a form to submit that a user can use to submit a complaint.  He is using a custom-made CAPTCHA that is randomly generating a three digit number and setting that to a session variable.  The form handler page then compares what the user entered to the session variable.  But the JSESSIONID is changing on every click, etc., so when the handler gets the form, it's a new session and the values do not match.

What can we do to make this work?

V/r,

^ _ ^

This topic has been closed for replies.

1 reply

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
October 4, 2017

WolfShade  wrote

But the JSESSIONID is changing on every click,

Do you mean, on every click on the submit button?

WolfShade
WolfShadeAuthor
Legend
October 4, 2017

I mean EVERYTHING.  With F12 on FireFox, showing the cookies, every link click, form submit, page refresh/reload, even if you manually change the URL to another page.  JSESSIONID rotates.  Apparently as a security measure against session hijacking.

But how do I keep session variables persistent if the JSESSIONID is forever changing?

V/r,

^ _ ^

WolfShade
WolfShadeAuthor
Legend
October 6, 2017

I would perform the following checks:

1) Ensure that the following settings are checked (in the ColdFusion Administrator):

Use J2EE session variables

Enable Application Variables    

Enable Session Variables

2) Search your code to rule out the presence of the following lines of code:
structClear(session)
getPageContext().getSession().invalidate()


1) Ensure that the following settings are checked (in the ColdFusion Administrator):

Use J2EE session variables                CHECK

Enable Application Variables               CHECK

Enable Session Variables                    CHECK

2) Search your code to rule out the presence of the following lines of code:
structClear(session)                                        NOT PRESENT
getPageContext().getSession().invalidate()     NOT PRESENT

V/r,

^ _ ^

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices