• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1201
  • Last Modified:

How to reset JsessionID at login for a coldfusion application?

Using CF 6.1, I have JSessionID as the session ID. I need to reset the session ID after user logs in and when the user logs out.  

Currently JSessionID is set upon user connection to the website and is only destroyed when the user closes the browser.  I need to be able to modify the value on log in and log out.
0
FFNOKC
Asked:
FFNOKC
  • 2
  • 2
  • 2
1 Solution
 
SidFishesCommented:
you can kill a session using

<cfset structclear(session)>

however I don't believe it's possible to -not- set a jsessionid on first connect. You could kill the existing session and create a new one on log in r. Not sure why you'd need to however.
0
 
gdemariaCommented:

If the problem is that you used the session ID as the identifier for your user's shopping art of something, I would change that instead.  

You can create a unique identifier using the session ID and some other values like the time or IP address

<cfset uniqueNUmber = hash(session.sessionID & IPaddress & timeFormat(now(),"miss")>


You should tell us what problem you're trying to resolve to address it directly.  I am not sure if you can continue using the session after your destroy the session ID or that you're guaranteed you'd get a different value
0
 
FFNOKCAuthor Commented:
Thank you for the suggestions.  Here is a more detailed description of the problem:

Currently when a user visits the homepage of the site they are assigned a cookie with a JessionID. If the user goes on to login to a secure portion of the website they keep the same JsessionID after a successful login.

 We have had a recommendation to do one of the following to make the application more secure:

1. Do not set a JsessionID until after the user logs in.
or
2. Change the JsessionID after the user logs in.



0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
gdemariaCommented:
or

3.  Use a different identifier to track their login session, this was my suggestion above.

That would keep you from messing with core CF functionality and make it more secure.


>  1.  Do not set a JsessionID until after the user logs in.

This is not under your control.   If you no longer use the jsession ID as the user's identifier then you can set it and change it as you please.   Leave the jsessionID to CF and you use your own.

0
 
SidFishesCommented:
agree 100% with gd - if you different functionality roll your own session. I use <cfset session.uid = createuuid()>

doing anything may result in unexpected results.
0
 
FFNOKCAuthor Commented:
Thanks for the help. It sounds like creating your own session identifier is the preferred method.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now