In the stateless HTTP web world, Session play an important role for maintaining state. Critical user data is often saved in session. There is an id associated with this session, which distinguishes requests from one user to other. This session token, often called as JSESSIONID in J2EE world is stored at client side in cookie.

Session ids are mostly stored in cookie and we have already learnt cookies are prone to attacks. Session Hijacking, Session Fixation are some of these.

These attacks can be avoided by using proper server side measures and client side cookie handling. For  e.g. When a user logs out, the session data should be cleared.
or when user logs in, his current session data should be copied to a session with new ID.
This can avoid attacks like Session stealing, Session Fixation.

In ColdFusion 10, you have ready to use methods to do this. Read here to know about these methods.

3 Comments to “Improved Session Management in ColdFusion 10”

  1. Joshua Miller
    Is the "Read here" content able to be found somewhere else? When I click the link it takes me to a GoDaddy.com parked domain page.
  2. Rakshith Naresh
    @Joshua Works fine for me. Can you check again?
  3. Joshua Miller
    Seems to be working now. I was getting the default "GoDaddy.com" landing page this AM.

Leave a Comment

Leave this field empty: