ColdFusion MX - remove jsessionid from url

3
votes

we have a bunch of 'cflocation' tags in our cfmx apps, which lead to the session identifiers getting appended to the url. Our main concern here is to remove the jsessionid, cfid and cftoken from the url for security measures. We have tried the following and none of them worked for us: 1. 'addtoken=no' with the cflocation tag 2. tried using cfheader instead of cflocation.

How do we remove the session identifiers from the url?

thanks guys for the prompt answers! I will try to answer the queries here

  • I tried replacing cflocation completely with cfheader like so

<cfheader statuscode="302" statustext="Temporarily Moved"/> <cfheader name="Location" value="destinationURL"/>

  • We are using cookies to store session info. I am able to see the CFID, CFTOKEN, JSESSIONID cookies successfully being created on the users machine

  • Mitrah - If i set the 'setclientcookie' value to false, wouldn't that default to URL? Or am i not reading this correctly?

  • Do i need to tweak the 'cfapplication' tag in someway to make this work

2
javacoldfusion
When you say you were using cfheader, do you mean you were writing your own custom redirect, and not using cflocation at all? - Ben Doom
I thought I had this same problem, but both of your attempted solutions worked. You might have a more interesting error somewhere else. - jtpereyda

2 Answers

4
votes

It sounds like you are not using cookies to store your session, but are probably using client variables. If you are using client variables, then CF will automatically put the session tokens in the URL no matter what. This doc explains why.

-1
votes

Try to set setclientcookie = "false" in your application tag.