How to configure ColdFusion5 to use J2EE session identifiers instead of CF_ID and CF_TOKEN?

@BKBK I need it to resolve a Nessus Finding.  Web Server Uses Non Random Session IDs, Nessus ID 31,657.

There may be nothing for you to worry about. Nessus probably based its conclusion on just the CFID identifier, which is sequential. However, Coldfusion's session ID is random, as you would have found out when you followed the link in your original post.

The other Coldfusion session identifier, CFToken, is random. Hence, the session ID, which is the combination of CFID and CFToken, is random. Sequential + random = random.

I still recommend migrating/upgrading to CF10 and using JSessionID instead of CFID/CFToken. Technically BKBK is correct, while CFID is sequential, CFToken is random and they work together to link the session, BUT scanners don't understand this and you have to fight the "false positive" battle on every quarterly scan. Trust me, it gets old after a while. Often times when making your argument to your ASV you'll get a CF familiar person on the other end and the battle will be nothing more than saying: "hey, ColdFusion". But sometimes though you'll get someone who does not have a clue what CF is and does not believe anything out of your mouth which will result in a multi-day/week battle with him or her and/or supervisors. We used CF5 up until about 4 years ago so I am very familiar with the battles and I'm so glad we migrated!

I agree with Steve, you should plan on upgrading CF if you are trying to achieve PCI compliance. If I recall correctly the cftoken in CF5 is just a random number, that will not provide enough entropy to constitute a session identifier, even when combined with the sequential cftoken. Also because CF5 is not supported by adobe, any security issues found in it or that may exist will not be patched.