Title:
JSESSIONID not passed in URL when using ADDTOKEN parameter OF CFLOCATION tag
| View in TrackerStatus/Resolution/Reason: Closed/Withdrawn/
Reporter/Name(from Bugbase): Chad Armond / Chad Armond ()
Created: 03/14/2017
Components: Core Runtime, Session Management
Versions: 2016
Failure Type: Others
Found In Build/Fixed In Build: 2016,0,03,300357 /
Priority/Frequency: Normal / Some users will encounter
Locale/System: / Unix Solaris 10
Vote Count: 0
Problem Description: In previous versions of ColdFusion, the JSESSIONID was passed in the URL query string when using the ADDTOKEN parameter of the CFLOCATION tag if J2EE session management was enabled. However, that it no longer the case in 2016. I do not know if this is a bug or possibly a security enhancement.
Steps to Reproduce: Create these 2 files for testing and run them on CF10 and CF2016.
url-token-test-1.cfm:
----------
<cflocation url="url-token-test-2.cfm" addToken="true">
url-token-test-2.cfm:
---------
<cfdump var="#url#" label="URL Variables">
<cfoutput>
<br />
Session ID: #session.sessionid#
<br /><br />
URL Token: #session.urltoken#
</cfoutput>
Actual Result: In ColdFusion 10, the JSESSIONID is displayed in the URL, SESSION.SESSIONID, and SESSION.URLTOKEN. In ColdFusion 2016, JSESSIONID appears in the SESSION.SESSIONID and SESSION.URLTOKEN variables but not in the URL.
Expected Result: JSESSIONID to either be included in the URL or omitted from the SESSION.URLTOKEN variable.
Any Workarounds: One workaround is to reference SESSION.TOKENID instead of URL.JSESSIONID. Another workaround is to manually pass the URL token. For instance:
<cflocation url="url-token-test-2.cfm?#session.urltoken#" addToken="false">Attachments:
Comments: