Highlighted

Why does my jsessionid cookie have .cfusion added to the end of the session ID?

New Here ,
Oct 01, 2014

Copy link to clipboard

Copied

I want to use J2EE session variables so I enabled them in the CF admin. I checked the jsessionid cookie value and noticed it had .cfusion at the end of the ID. Here is an example E3549E30AD31492B04FE7100331F28A0.cfusion

I really don't like having the CF Instance name added to the end of the session ID. Is this normal and how do I stop it from happening?

I'm using CF 10 with the latest updates and IIS 7.5.

Views

1.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Why does my jsessionid cookie have .cfusion added to the end of the session ID?

New Here ,
Oct 01, 2014

Copy link to clipboard

Copied

I want to use J2EE session variables so I enabled them in the CF admin. I checked the jsessionid cookie value and noticed it had .cfusion at the end of the ID. Here is an example E3549E30AD31492B04FE7100331F28A0.cfusion

I really don't like having the CF Instance name added to the end of the session ID. Is this normal and how do I stop it from happening?

I'm using CF 10 with the latest updates and IIS 7.5.

Views

1.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Oct 01, 2014 0
Adobe Community Professional ,
Oct 02, 2014

Copy link to clipboard

Copied

It is 'normal': it is so, by design.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 02, 2014 0
New Here ,
Oct 02, 2014

Copy link to clipboard

Copied

Ok. Am I the only one that doesn't like the thought of the instance name being used as part of the sessionid? I know it isn't that hard to finger print a server but do we really need to advertise that its CF and what instance the site is running under? Is there any way around this short of using CFID/CFToken?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 02, 2014 0
Adobe Community Professional ,
Oct 02, 2014

Copy link to clipboard

Copied

Even if you find a way to avoid the .cfusion, I doubt whether it will be an optimal solution. I think Coldfusion is hard-wired to expect the jsessionID cookie and the variable session.sessionID to have .cfusion at the end.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 02, 2014 0
Adobe Community Professional ,
Oct 03, 2014

Copy link to clipboard

Copied

You could in fact report it as a bug!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 03, 2014 0
Explorer ,
Oct 06, 2014

Copy link to clipboard

Copied

It's your server name.  If you create a new instance called 'bob' and you will have bob at the end of your jsessionid.

I believe it is used for for clustering and it also makes it easy to ID what server worked a request.

Mike

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 06, 2014 0
New Here ,
Oct 06, 2014

Copy link to clipboard

Copied

Had I known that this was going on when I made the move to CF10 I would have created a new instance named something less obvious. I'm sure someone had a great reason for this but I don't see how exposing ANY information about the underlying server is acceptable. I don't see this as being a bug but I do think this goes against security related best practices. I'm now rethinking my decision of moving to J2EE session variables.

Edit: After looking a little more I found out that this is controlled in the server.xml file. You can change jvmRoute in <Engine name="Catalina" defaultHost="localhost" jvmRoute="cfusion"> to anything you want or you can just leave it blank.

I changed mine to this and it hasn't caused any issue at all.

<Engine name="Catalina" defaultHost="localhost" jvmRoute="">

I wouldn't do this if you are running multiple instances, clusters, load balancing..... I would just set it to a value that means something to you but not anyone else.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 06, 2014 0
BKBK LATEST
Adobe Community Professional ,
Oct 06, 2014

Copy link to clipboard

Copied

PhilBro wrote:

I don't see this as being a bug but I do think this goes against security related best practices.

The usual way to bring such a concern to the attention of the Coldfusion Team is to report it as a bug. A bug may not necessarily be a malfunction. It may just be a suggestion.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 06, 2014 0