I want to use J2EE session variables so I enabled them in the CF admin. I checked the jsessionid cookie value and noticed it had .cfusion at the end of the ID. Here is an example E3549E30AD31492B04FE7100331F28A0.cfusion
I really don't like having the CF Instance name added to the end of the session ID. Is this normal and how do I stop it from happening?
I'm using CF 10 with the latest updates and IIS 7.5.
Copy link to clipboard
It is 'normal': it is so, by design.
Ok. Am I the only one that doesn't like the thought of the instance name being used as part of the sessionid? I know it isn't that hard to finger print a server but do we really need to advertise that its CF and what instance the site is running under? Is there any way around this short of using CFID/CFToken?
Even if you find a way to avoid the .cfusion, I doubt whether it will be an optimal solution. I think Coldfusion is hard-wired to expect the jsessionID cookie and the variable session.sessionID to have .cfusion at the end.
It's your server name. If you create a new instance called 'bob' and you will have bob at the end of your jsessionid.
I believe it is used for for clustering and it also makes it easy to ID what server worked a request.
Had I known that this was going on when I made the move to CF10 I would have created a new instance named something less obvious. I'm sure someone had a great reason for this but I don't see how exposing ANY information about the underlying server is acceptable. I don't see this as being a bug but I do think this goes against security related best practices. I'm now rethinking my decision of moving to J2EE session variables.
Edit: After looking a little more I found out that this is controlled in the server.xml file. You can change jvmRoute in <Engine name="Catalina" defaultHost="localhost" jvmRoute="cfusion"> to anything you want or you can just leave it blank.
I changed mine to this and it hasn't caused any issue at all.
<Engine name="Catalina" defaultHost="localhost" jvmRoute="">
I wouldn't do this if you are running multiple instances, clusters, load balancing..... I would just set it to a value that means something to you but not anyone else.
I don't see this as being a bug but I do think this goes against security related best practices.
The usual way to bring such a concern to the attention of the Coldfusion Team is to report it as a bug. A bug may not necessarily be a malfunction. It may just be a suggestion.