Macromedia ColdFusion MX offers two mechanisms for managing session variables: ColdFusion session variables and J2EE session variables. ColdFusion MX introduces J2EE session variables to increase security and enable the sharing of ColdFusion session IDs with JSP pages and servlets.
Traditional ColdFusion session management uses theCFID and CFTOKEN values to establish and maintain unique application sessions. By default, theCFID and CFTOKEN values are sent to the client's browsers as persistent cookie values. The combination of the Application name (specified in the cfapplication tag) and the CFID and CFTOKEN values comprise the Session.SessionID. CFID andCFTOKEN values also create theSession.CFID, Session.CFToken, andSession.URLToken (CFID=idNum&CFTOKEN=tokenNum ) variables.
ColdFusion also uses CFID and CFTOKEN to track client data when using Client management. TheCFID and CFTOKEN values create the following variables: Client.CFID,Client.CFToken, Client.URLToken (CFID=idNum&CFTOKEN=tokenNum).
ColdFusion MX introduces J2EE servlet session management in addition to the traditional ColdFusion session management. J2EE session management has the following advantages:
- Enables the sharing of session information between ColdFusion pages and Java Server Pages (JSP) and servlets
- Strengthens session security with a unique, per-session variable
- Allows session termination without the loss of the client identification cookies (CFID/CFTOKEN) or Client management
J2EE session management uses a new variable, called thejsessionid, to track a user's browser session instead of the CFID/CFTOKEN pair. The jsessionid variable is available to JSPs and Servlets. A newjsessionid is always created at the start of each browser session. Because it is always written as a per-session value which is destroyed when the browser is closed, all session variables are also destroyed when the browser session ends.
The addition of the jsessionid not only extends the J2EE functionality but it also strengthens ColdFusion session management. Traditionally, ColdFusion creates theCFID/CFTOKEN as persistent cookies by default. However, the jsessionid is always created as a non-persistent cookie. Refer to ColdFusion (All Versions): How to write ColdFusion session variables as per-session cookies for more details. Refer to ColdFusion (All versions): How to guarantee unique CFToken values to ensure that the CFTOKEN identifier is unique.
Although jsessionid replacesCFID/CFTOKEN as the Session.SessionID, ColdFusion MX still creates the CFID andCFTOKEN values for tracking client information. This enables secure manipulation of client-scoped variables. J2EE session management does not require an Application name, so theSession.SessionID value becomes thejsessionid. Because CFID andCFTOKEN are no longer used as session identifiers,Session.CFID and Session.CFToken do not exist in the session scope. However, the combination of CFID, CFTOKEN, andjsessionid comprise the Session.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID ). When using client management, ColdFusion server appends the jsessionid to theCFID and CFTOKEN values in theClient.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID ).
ColdFusion MX allows either ColdFusion session variables (CFID/CFTOKEN) or the new J2EE session variables. You cannot use the jsessionid andCFID/CFTOKEN together for ColdFusion session management; however, enabling ColdFusion session variables in the ColdFusion Administrator is a prerequisite for using the J2EE session variables. This can be confusing but if you think of it in terms of the Session.SessionID variable, the setup becomes clearer.
You enable session variables in two places:
In the ColdFusion Administrator, select Memory Variables from the main menu:
- For ColdFusion session variables: check the box next to "Enable Session Variables."
This will set the Session.SessionID value equal to the Application name, CFID, and CFTOKEN values. ColdFusion session variables are enabled by default. - For J2EE session variables: check the boxes next to both "Enable Session Variables" and "Use J2EE session variables"
This will create the jsessionid variable and set theSession.SessionID equal to the jsessionid value.
Note: When you switch between ColdFusion session variables and J2EE session variables, you must restart the ColdFusion MX Application Server service from the control panel.
In your cfapplication tag, set thesessionManagement attribute to "Yes." You must do this whether you are using ColdFusion session variables or J2EE session variables. ColdFusion session variables also require you to specify the name attribute.
The table below offers a comparison of the defaultsession and client scoped variable values when using ColdFusion and J2EE session variables.
| Variable | ColdFusion Session Value | J2EE Session Value |
| Session.SessionID | Application name and CFID andCFTOKEN example: myApp_4102_41340 |
jsessionid value example: 80302906651021786701857 |
| Session.CFID | The CFID cookie value | N/A |
| Session.CFToken | The CFTOKEN cookie value | N/A |
| Session.URLToken | Session.CFID andSession.CFTOKEN example:CFID =14954&CFTOKEN=6694000 |
CFID and CFTOKEN andjsessionid example:CFID =14954&CFTOKEN=66940007& jsessionid= 8030290665102178670185 |
| Client.CFID | The CFID cookie value | N/A |
| Client.CFTOKEN | The CFID cookie value | N/A |
| Client.URLTOKEN | Client.CFID andClient.CFTOKEN example:CFID =14954&CFTOKEN=6694000 |
CFID and CFTOKEN andjsessionid example:CFID =14954&CFTOKEN=66940007& jsessionid= 8030290665102178670185 |
- Macromedia Security Zone
- ColdFusion (All versions): How to write ColdFusion session variables as per-session cookies
- ColdFusion (All versions): How to guarantee unique CFToken values
- ColdFusion 4.5.1 SP2 and Up: Recommended settings for client variable storage
- Security Best Practice: URL session variables and HTTP_REFERER
Keywords:
tn_18232
Twitter™ and Facebook posts are not covered under the terms of Creative Commons.
