How to reset JsessionID at login for a coldfusion application?

Posted on 2011-02-10
Last Modified: 2013-12-24
Using CF 6.1, I have JSessionID as the session ID. I need to reset the session ID after user logs in and when the user logs out.  

Currently JSessionID is set upon user connection to the website and is only destroyed when the user closes the browser.  I need to be able to modify the value on log in and log out.
Question by:FFNOKC
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 36

Expert Comment

ID: 34864123
you can kill a session using

<cfset structclear(session)>

however I don't believe it's possible to -not- set a jsessionid on first connect. You could kill the existing session and create a new one on log in r. Not sure why you'd need to however.
LVL 39

Expert Comment

ID: 34864815

If the problem is that you used the session ID as the identifier for your user's shopping art of something, I would change that instead.  

You can create a unique identifier using the session ID and some other values like the time or IP address

<cfset uniqueNUmber = hash(session.sessionID & IPaddress & timeFormat(now(),"miss")>

You should tell us what problem you're trying to resolve to address it directly.  I am not sure if you can continue using the session after your destroy the session ID or that you're guaranteed you'd get a different value

Author Comment

ID: 34865032
Thank you for the suggestions.  Here is a more detailed description of the problem:

Currently when a user visits the homepage of the site they are assigned a cookie with a JessionID. If the user goes on to login to a secure portion of the website they keep the same JsessionID after a successful login.

 We have had a recommendation to do one of the following to make the application more secure:

1. Do not set a JsessionID until after the user logs in.
2. Change the JsessionID after the user logs in.

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

LVL 39

Accepted Solution

gdemaria earned 500 total points
ID: 34865170

3.  Use a different identifier to track their login session, this was my suggestion above.

That would keep you from messing with core CF functionality and make it more secure.

>  1.  Do not set a JsessionID until after the user logs in.

This is not under your control.   If you no longer use the jsession ID as the user's identifier then you can set it and change it as you please.   Leave the jsessionID to CF and you use your own.

LVL 36

Expert Comment

ID: 34865480
agree 100% with gd - if you different functionality roll your own session. I use <cfset session.uid = createuuid()>

doing anything may result in unexpected results.

Author Comment

ID: 34873717
Thanks for the help. It sounds like creating your own session identifier is the preferred method.

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
What You Need to Know when Searching for a Webhost Provider
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question