tracker issue : CF-4098537

Secure Profile should enable the most secure of these session management options:
- ColdFusion session management
- J2EE session management

According to the docs, J2EE session management is the most secure of those 2 options. Therefore, Secure Profile should enable J2EE session management.

Here is what the docs say:

============================================
https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/using-persistent-data-and-locking/managing-the-client-state.html
--------------------------------------------
Providing Session security

ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user's browser. These cookies persist until the client's browser deletes them, which can be a considerable length of time. As a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each session.
A hacker who has the user's CFToken and CFID cookies could gain access to user data by accessing a web page during the user's session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.
You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.
============================================

============================================
https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/using-persistent-data-and-locking/configuring-and-using-session-variables.html
--------------------------------------------
ColdFusion and J2EE session management

J2EE session management provides the following advantages over ColdFusion session management:
- J2EE session management uses a session-specific session identifier, jsessionid, which is created afresh at the start of each session.

Therefore, consider using J2EE session management in any of the following cases:
- You want to maximize session security, particularly if you also use client variables
============================================

============================================
https://helpx.adobe.com/coldfusion/kb/enable-j2ee-session-management-coldfusion.html
--------------------------------------------
Macromedia ColdFusion MX offers two mechanisms for managing session variables: ColdFusion session variables and J2EE session variables. ColdFusion MX introduces J2EE session variables to increase security and enable the sharing of ColdFusion session IDs with JSP pages and servlets.

ColdFusion MX introduces J2EE servlet session management in addition to the traditional ColdFusion session management. J2EE session management has the following advantages:
- Strengthens session security with a unique, per-session variable

A new jsessionid is always created at the start of each browser session. Because it is always written as a per-session value which is destroyed when the browser is closed, all session variables are also destroyed when the browser session ends.

The addition of the jsessionid not only extends the J2EE functionality but it also strengthens ColdFusion session management. Traditionally, ColdFusion creates the CFID/CFTOKEN as persistent cookies by default. However, the jsessionid is always created as a non-persistent cookie.
============================================

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4098537

External Customer Info:
External Company:  
External Customer Name: Aaron Neff
External Customer Email:

Attachments:

Comments: