Macromedia ColdFusion MX offers two mechanisms for managing session variables: ColdFusion session variables and J2EE session variables. ColdFusion MX introduces J2EE session variables to increase security and enable the sharing of ColdFusion session IDs with JSP pages and servlets.

Background information:

Traditional ColdFusion session management uses theCFID and CFTOKEN values to establish and maintain unique application sessions. By default, theCFID and CFTOKEN values are sent to the client's browsers as persistent cookie values. The combination of the Application name (specified in the cfapplication tag) and the CFID and CFTOKEN values comprise the Session.SessionID. CFID andCFTOKEN values also create theSession.CFID, Session.CFToken, andSession.URLToken (CFID=idNum&CFTOKEN=tokenNum ) variables.

ColdFusion also uses CFID and CFTOKEN to track client data when using Client management. TheCFID and CFTOKEN values create the following variables: Client.CFID,Client.CFToken, Client.URLToken (CFID=idNum&CFTOKEN=tokenNum).

Changes in ColdFusion MX:

ColdFusion MX introduces J2EE servlet session management in addition to the traditional ColdFusion session management. J2EE session management has the following advantages:

  • Enables the sharing of session information between ColdFusion pages and Java Server Pages (JSP) and servlets
  • Strengthens session security with a unique, per-session variable
  • Allows session termination without the loss of the client identification cookies (CFID/CFTOKEN) or Client management

J2EE session management uses a new variable, called thejsessionid, to track a user's browser session instead of the CFID/CFTOKEN pair. The jsessionid variable is available to JSPs and Servlets. A newjsessionid is always created at the start of each browser session. Because it is always written as a per-session value which is destroyed when the browser is closed, all session variables are also destroyed when the browser session ends.

The addition of the jsessionid not only extends the J2EE functionality but it also strengthens ColdFusion session management. Traditionally, ColdFusion creates theCFID/CFTOKEN as persistent cookies by default. However, the jsessionid is always created as a non-persistent cookie. Refer to ColdFusion (All Versions): How to write ColdFusion session variables as per-session cookies for more details. Refer to ColdFusion (All versions): How to guarantee unique CFToken values to ensure that the CFTOKEN identifier is unique.

Although jsessionid replacesCFID/CFTOKEN as the Session.SessionID, ColdFusion MX still creates the CFID andCFTOKEN values for tracking client information. This enables secure manipulation of client-scoped variables. J2EE session management does not require an Application name, so theSession.SessionID value becomes thejsessionid. Because CFID andCFTOKEN are no longer used as session identifiers,Session.CFID and Session.CFToken do not exist in the session scope. However, the combination of CFID, CFTOKEN, andjsessionid comprise the Session.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID ). When using client management, ColdFusion server appends the jsessionid to theCFID and CFTOKEN values in theClient.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID ).

Enabling J2EE Session Management

ColdFusion MX allows either ColdFusion session variables (CFID/CFTOKEN) or the new J2EE session variables. You cannot use the jsessionid andCFID/CFTOKEN together for ColdFusion session management; however, enabling ColdFusion session variables in the ColdFusion Administrator is a prerequisite for using the J2EE session variables. This can be confusing but if you think of it in terms of the Session.SessionID variable, the setup becomes clearer.

You enable session variables in two places:

  1. Inside the ColdFusion Administrator
  2. By using the cfapplication tag

In the ColdFusion Administrator, select Memory Variables from the main menu:

  • For ColdFusion session variables: check the box next to "Enable Session Variables."

    This will set the Session.SessionID value equal to the Application name, CFID, and CFTOKEN values. ColdFusion session variables are enabled by default.
  • For J2EE session variables: check the boxes next to both "Enable Session Variables" and "Use J2EE session variables"

    This will create the jsessionid variable and set theSession.SessionID equal to the jsessionid value.

Note: When you switch between ColdFusion session variables and J2EE session variables, you must restart the ColdFusion MX Application Server service from the control panel.

In your cfapplication tag, set thesessionManagement attribute to "Yes." You must do this whether you are using ColdFusion session variables or J2EE session variables. ColdFusion session variables also require you to specify the name attribute.

Comparisons

The table below offers a comparison of the defaultsession and client scoped variable values when using ColdFusion and J2EE session variables.



Variable ColdFusion Session Value J2EE Session Value
Session.SessionID Application name and CFID andCFTOKEN

example: myApp_4102_41340
jsessionid value

example: 80302906651021786701857
Session.CFID The CFID cookie value N/A
Session.CFToken The CFTOKEN cookie value N/A
Session.URLToken Session.CFID andSession.CFTOKEN

example:CFID =14954&CFTOKEN=6694000
CFID and CFTOKEN andjsessionid

example:CFID =14954&CFTOKEN=66940007&

jsessionid=

8030290665102178670185
Client.CFID The CFID cookie value N/A
Client.CFTOKEN The CFID cookie value N/A
Client.URLTOKEN Client.CFID andClient.CFTOKEN

example:CFID =14954&CFTOKEN=6694000
CFID and CFTOKEN andjsessionid

example:CFID =14954&CFTOKEN=66940007&

jsessionid=

8030290665102178670185

Additional Information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy