Cannot turn off persistent tracking cookies in CFMX 8

Question

CFMX 8 Enterprise

I have turned on the "Use J2EE session variables" setting under Memory Variables because security requirements state that persistent cookies cannot be used.

I understood that turning this setting on will tell CF to only create a use a "JSESSIONID" session cookie.

However, my server still appears to be creating and using the old-style "CFID" and "CFTOKEN" cookies with expiration dates thirty years hence.

Now, obviously, I can do the old trick of manipulating CFID and CFTOKEN with CFCOOKIE in my Application.cfc to remove the expiration date, but that's something I'd need to add to all of my applications.

Is it as simple as a restart of the ColdFusion service? A bug? Or am I just misunderstanding the setting?

Answer 1

From the online KB database:

ColdFusion MX (CFMX) introduces J2EE servlet session management in addition to the traditional ColdFusion session management. J2EE session management enables the sharing of session information between ColdFusion pages and JSP pages or servlets within a single application. With J2EE session management, ColdFusion uses a new variable, the JSESSIONID, to track a user's browser session instead of CFID/CFTOKEN. ColdFusion MX still creates the CFID and CFTOKEN values, however, but these values are no longer used to uniquely identify browser sessions. J2EE session management does not require an Application name, so the SESSION.SESSIONID value becomes the JSESSIONID. Because theJSESSIONID is always written as a per-session value, it is destroyed when the browser is closed and a new one is created with each new browser session.

So CFID and CFTOKEN are generated, but ignored.