0 Replies Latest reply on May 19, 2008 4:59 PM by cfcoder2

    J2EE Session Management & Cookies

      I have some questions about session management using J2EE (jsessionid session variable). I'm using CFMX 6.1.

      1. in the CFAPPLICATION tag can the setClientCookies="no" a bad idea? We don't use client variables. We have had times when CFID/CFTOKEN appear in links and tend to get picked up by bots like Googlebot. Seems that removing them from view is a good idea, particularly since J2EE session vars are being used.

      2. Does anyone know of a way to prevent jsessionid passed in a URL (embedded in a post on a forum or picked up by bots or copied/pasted in an email) from being hijacked? This is a problem when you try to support maintaining session for those with cookies disabled in their browser and so you have to pass the jsessionid in the url to retain the session. The difference here is how do you differentiate between those just arriving (ignore the jsessionid) versus those going from page-to-page on your site? Is relying on HTTP_REFERER being out of the domain or empty a good test?

      3. Why does CF server not generate a jsessionid cookie in memory when you pass in a jsessionid in the url? As long as your code passes a jsessionid in the url, it won't even attempt to set a cookie for jsessionid. But remove it and then it generates one. Why?

      4. Why does the URLSessionFormat function return a format like file.cfm;jsessionid=xxxxx but if you try to code appending jsessionid using that format it doesn't work. You have to apply the format file.cfm?jsessionid=xxxxx
      I don't get what's going on there.