Solved

How to reset JsessionID at login for a coldfusion application?

Posted on 2011-02-10
6
1,119 Views
Last Modified: 2013-12-24
Using CF 6.1, I have JSessionID as the session ID. I need to reset the session ID after user logs in and when the user logs out.  

Currently JSessionID is set upon user connection to the website and is only destroyed when the user closes the browser.  I need to be able to modify the value on log in and log out.
0
Comment
Question by:FFNOKC
  • 2
  • 2
  • 2
6 Comments
 
LVL 36

Expert Comment

by:SidFishes
ID: 34864123
you can kill a session using

<cfset structclear(session)>

however I don't believe it's possible to -not- set a jsessionid on first connect. You could kill the existing session and create a new one on log in r. Not sure why you'd need to however.
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 34864815

If the problem is that you used the session ID as the identifier for your user's shopping art of something, I would change that instead.  

You can create a unique identifier using the session ID and some other values like the time or IP address

<cfset uniqueNUmber = hash(session.sessionID & IPaddress & timeFormat(now(),"miss")>


You should tell us what problem you're trying to resolve to address it directly.  I am not sure if you can continue using the session after your destroy the session ID or that you're guaranteed you'd get a different value
0
 

Author Comment

by:FFNOKC
ID: 34865032
Thank you for the suggestions.  Here is a more detailed description of the problem:

Currently when a user visits the homepage of the site they are assigned a cookie with a JessionID. If the user goes on to login to a secure portion of the website they keep the same JsessionID after a successful login.

 We have had a recommendation to do one of the following to make the application more secure:

1. Do not set a JsessionID until after the user logs in.
or
2. Change the JsessionID after the user logs in.



0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 39

Accepted Solution

by:
gdemaria earned 500 total points
ID: 34865170
or

3.  Use a different identifier to track their login session, this was my suggestion above.

That would keep you from messing with core CF functionality and make it more secure.


>  1.  Do not set a JsessionID until after the user logs in.

This is not under your control.   If you no longer use the jsession ID as the user's identifier then you can set it and change it as you please.   Leave the jsessionID to CF and you use your own.

0
 
LVL 36

Expert Comment

by:SidFishes
ID: 34865480
agree 100% with gd - if you different functionality roll your own session. I use <cfset session.uid = createuuid()>

doing anything may result in unexpected results.
0
 

Author Comment

by:FFNOKC
ID: 34873717
Thanks for the help. It sounds like creating your own session identifier is the preferred method.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now