J2EE Session Cookies on ColdFusion / JRun
As you are probably aware ColdFusion allows you to use the integrated J2EE sessions that are provided as part of the J2EE server (by enabling the Use J2EE session variables setting in ColdFusion Administrator). When you enable this setting, a cookie called
JSESSIONID is used to store the session identifier.
One of the drawbacks to session cookies in ColdFusion is that there is little control over the cookies that are created, you typically need to set the cookies in your
onSessionStart event method with
cfcookie to add security settings like
J2EE typically provide a way to specify settings J2EE session cookie ( typically called
JSESSIONID, you can usually change the name of this cookie if you want). In JRun 4, the settings can be added to the
jrun-web.xml file located in the
WEB-INF folder. Here's an example of of how you might add the secure flag to the JSESSIONID cookie:
<jrun-web-app> <session-config> <cookie-config> <active>true</active> <cookie-secure>true</cookie-secure> </cookie-config> </session-config> </jrun-web-app>
It is important to understand that this change will affect all sites on your ColdFusion server, so it may not be the best approach for all server setups.
You can find the documentation for the JRun session-config tag and its children here: here.
So what about HttpOnly cookies? You have probably noticed that there is no setting for this in JRun, I did find a way to get it working by appending it to the path, for example:
That's not documented anywhere, but it does work. The
cookie-path tag goes inside the
If you are using any JEE server besides JRun (eg Tomcat has one, WebLogic, etc), there is probably a documented method for creating HttpOnly J2EE session cookies.
Update: ColdFusion 9.0.1 added support for a httponly java system property that you can use instead. See details on HttpOnly cookies in ColdFusion.
- CFLogin Security Considerations - December 10, 2009
- Installing multiple versions of CFMX on JRun - February 8, 2005
- SessionRotate solution for JEE Sessions - March 28, 2014
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- HashDOS and ColdFusion - December 30, 2011
Just a small typo correction in the xml (missing a / in the end cookie-config tag).
@Joe - Thanks, I updated the blog entry.
@John - Yes it does belong inside the cookie-config tags, I updated the blog entry to make that more clear.
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained