Why does my jsessionid cookie have .cfusion added to the end of the session ID?

Ok. Am I the only one that doesn't like the thought of the instance name being used as part of the sessionid? I know it isn't that hard to finger print a server but do we really need to advertise that its CF and what instance the site is running under? Is there any way around this short of using CFID/CFToken?

Even if you find a way to avoid the .cfusion, I doubt whether it will be an optimal solution. I think Coldfusion is hard-wired to expect the jsessionID cookie and the variable session.sessionID to have .cfusion at the end.

You could in fact report it as a bug!

Had I known that this was going on when I made the move to CF10 I would have created a new instance named something less obvious. I'm sure someone had a great reason for this but I don't see how exposing ANY information about the underlying server is acceptable. I don't see this as being a bug but I do think this goes against security related best practices. I'm now rethinking my decision of moving to J2EE session variables.

Edit: After looking a little more I found out that this is controlled in the server.xml file. You can change jvmRoute in <Engine name="Catalina" defaultHost="localhost" jvmRoute="cfusion"> to anything you want or you can just leave it blank.

I changed mine to this and it hasn't caused any issue at all.

<Engine name="Catalina" defaultHost="localhost" jvmRoute="">

I wouldn't do this if you are running multiple instances, clusters, load balancing..... I would just set it to a value that means something to you but not anyone else.

PhilBro wrote: I don't see this as being a bug but I do think this goes against security related best practices.

The usual way to bring such a concern to the attention of the Coldfusion Team is to report it as a bug. A bug may not necessarily be a malfunction. It may just be a suggestion.