I have some questions about session management using J2EE
(jsessionid session variable). I'm using CFMX 6.1.
1. in the CFAPPLICATION tag can the setClientCookies="no" a
bad idea? We don't use client variables. We have had times when
CFID/CFTOKEN appear in links and tend to get picked up by bots like
Googlebot. Seems that removing them from view is a good idea,
particularly since J2EE session vars are being used.
2. Does anyone know of a way to prevent jsessionid passed in
a URL (embedded in a post on a forum or picked up by bots or
copied/pasted in an email) from being hijacked? This is a problem
when you try to support maintaining session for those with cookies
disabled in their browser and so you have to pass the jsessionid in
the url to retain the session. The difference here is how do you
differentiate between those just arriving (ignore the jsessionid)
versus those going from page-to-page on your site? Is relying on
HTTP_REFERER being out of the domain or empty a good test?
3. Why does CF server not generate a jsessionid cookie in
memory when you pass in a jsessionid in the url? As long as your
code passes a jsessionid in the url, it won't even attempt to set a
cookie for jsessionid. But remove it and then it generates one.
4. Why does the URLSessionFormat function return a format
like file.cfm;jsessionid=xxxxx but if you try to code appending
jsessionid using that format it doesn't work. You have to apply the
I don't get what's going on there.