tracker issue : CF-4198404

select a category, or use search below
(searches all categories and all time range)

JSESSIONID not passed in URL when using ADDTOKEN parameter OF CFLOCATION tag

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/

Reporter/Name(from Bugbase): Chad Armond / Chad Armond ()

Created: 03/14/2017

Components: Core Runtime, Session Management

Versions: 2016

Failure Type: Others

Found In Build/Fixed In Build: 2016,0,03,300357 /

Priority/Frequency: Normal / Some users will encounter

Locale/System: / Unix Solaris 10

Vote Count: 0

Problem Description: In previous versions of ColdFusion, the JSESSIONID was passed in the URL query string when using the ADDTOKEN parameter of the CFLOCATION tag if J2EE session management was enabled.  However, that it no longer the case in 2016.  I do not know if this is a bug or possibly a security enhancement.

Steps to Reproduce:  Create these 2 files for testing and run them on CF10 and CF2016.

<cflocation url="url-token-test-2.cfm" addToken="true">

<cfdump var="#url#" label="URL Variables">

<br />
Session ID: #session.sessionid# 
<br /><br />
URL Token: #session.urltoken# 

Actual Result: In ColdFusion 10, the JSESSIONID is displayed in the URL, SESSION.SESSIONID, and SESSION.URLTOKEN.  In ColdFusion 2016, JSESSIONID appears in the SESSION.SESSIONID and SESSION.URLTOKEN variables but not in the URL.

Expected Result: JSESSIONID to either be included in the URL or omitted from the SESSION.URLTOKEN variable.

Any Workarounds: One workaround is to reference SESSION.TOKENID instead of URL.JSESSIONID.  Another workaround is to manually pass the URL token.  For instance:

<cflocation url="url-token-test-2.cfm?#session.urltoken#" addToken="false">



Do you see this issue with HF3 as well? Could you also confirm, if it is a solaris specific issue. Thanks!
Comment by S P.
1080 | March 15, 2017 12:47:54 PM GMT
Hi Chad, Is there any update that you can provide on the requested detail. Thanks!
Comment by S P.
1081 | September 11, 2017 03:55:33 AM GMT
Closing this bug for now as there is no response on it. If you still face the issue, please let us know we will reopen the bug. Thanks!
Comment by S P.
1082 | September 25, 2017 05:47:10 AM GMT
Sorry, I never saw your responses. The issue appears to be resolved now. Thank you!
Comment by Chad A.
29623 | August 27, 2018 01:23:25 PM GMT