无法关闭CFMX 8中的持续跟踪Cookie [英] Cannot turn off persistent tracking cookies in CFMX 8

问题描述

CFMX 8 Enterprise

我已打开内存变量下的使用J2EE会话变量设置，因为安全要求声明持久性Cookie不能使用。

I have turned on the "Use J2EE session variables" setting under Memory Variables because security requirements state that persistent cookies cannot be used.

我知道打开此设置会告诉CF只创建和使用JSESSIONID会话cookie。

I understood that turning this setting on will tell CF to only create and use a "JSESSIONID" session cookie.

但是，我的服务器仍然显示创建并使用旧版CFID和CFTOKENCookie，到期日期为三十年。

However, my server still appears to be creating and using the old-style "CFID" and "CFTOKEN" cookies with expiration dates thirty years hence.

现在，显然，我可以在我的Application.cfc中使用CFCOOKIE操作CFID和CFTOKEN的旧技巧来删除到期日期，但这是我需要添加到我的所有应用程序。

Now, obviously, I can do the old trick of manipulating CFID and CFTOKEN with CFCOOKIE in my Application.cfc to remove the expiration date, but that's something I'd need to add to all of my applications.

它是简单的重新启动ColdFusion服务吗？一个错误？

Is it as simple as a restart of the ColdFusion service? A bug? Or am I just misunderstanding the setting?

推荐答案

从在线KB数据库：

ColdFusion MX（CFMX）除了传统的ColdFusion会话管理外，还引入了J2EE servlet会话管理。 J2EE会话管理支持在单个应用程序中的ColdFusion页面和JSP页面或Servlet之间共享会话信息。通过J2EE会话管理，ColdFusion使用一个新变量JSESSIONID跟踪用户的浏览器会话，而不是CFID / CFTOKEN。 ColdFusion MX仍然创建CFID和CFTOKEN值，但是这些值不再用于唯一标识浏览器会话。 J2EE会话管理不需要应用程序名称，因此SESSION.SESSIONID值成为JSESSIONID。因为JSESSIONID总是写为每会话值，所以当浏览器关闭时会被销毁，并在每个新的浏览器会话中创建一个新的会话。

ColdFusion MX (CFMX) introduces J2EE servlet session management in addition to the traditional ColdFusion session management. J2EE session management enables the sharing of session information between ColdFusion pages and JSP pages or servlets within a single application. With J2EE session management, ColdFusion uses a new variable, the JSESSIONID, to track a user's browser session instead of CFID/CFTOKEN. ColdFusion MX still creates the CFID and CFTOKEN values, however, but these values are no longer used to uniquely identify browser sessions. J2EE session management does not require an Application name, so the SESSION.SESSIONID value becomes the JSESSIONID. Because theJSESSIONID is always written as a per-session value, it is destroyed when the browser is closed and a new one is created with each new browser session.

所以生成CFID和CFTOKEN，但忽略。

So CFID and CFTOKEN are generated, but ignored.

这篇关于无法关闭CFMX 8中的持续跟踪Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！