URLSessionFormat() does not work when using JEE/J2EE sessions

The URLSessionFormat() function does not work when using JEE/J2EE sessions (using CFML sessions everything works fine, but I need to use JEE/J2EE sessions).

I have created a small test environment that demonstrates the error, but it seems that I cannot attach the file to this post.

Don’t forget to tell us about your stack!

OS: Debian 9.13 - Linux
Java Version: openJDK-11.0.11
Tomcat Version: 9.0.48
Lucee Version: Lucee

(post deleted by author)

@Knut your test.zip with URLSessionFormat() is generating the JEE/J2EE sessions on my Lucee Express with Lucee

What is also being generated is cfid and cftoken for the session variable urltoken. See also a session dump here:

Don’t know if this should be a problem.

But cookies are not creating additional cftoken/cfid:

I’d avoid using URLSessionFormat() just the same as urltoken in URLs. I’d strongly recommend not using these in URLs and keep those varibles strictly for cookies because of security. Browsers have better inbuilt default security mechanisms for cookies, e.g. samesite, httpOnly, secureflag, CORS. Also, cfdocs.org discourages from using them.

Hello Andreas,

thank your for your testing, but you did not disabled ALL types cookies in your browser, as I mentioned in the “test.cfm” file. Otherwise the “JSESSIONID” cookie would not exist in your browser.

In the “test.cfm” file I wrote:

  1. First deactivate ALL TYPES of cookies in your browser.
  2. Delete the cookie ‘JSESSIONID’ if it exists and refresh the page.
  3. Then press the submit button to call the next page (test-2.cfm)

Would you please be so kind as to test it again under the conditions described?
Thanks very much.

I’d avoid using URLSessionFormat() just the same as urltoken in URLs. I’d strongly recommend not using these in URLs and keep those varibles strictly for cookies because of security.

Thank you for that kind notice, but using URLSessionFormat() is absolutely no security risk in my case. Plus, it’s just a kind of programmed fallback if the user’s browser does not allow “3rd party” cookies or even prohibits ALL types of cookies. This is the most sensible way for me that my application works completely without cookies in exceptional cases.

Ok… now I understand. Your title and your posts above are a little misleading. It’s not that URLSessionFormat() doesn’t work (as specified in the title). Your issue is that the variables saved to the session scope get lost when you use url session only (without using cookies).

I can confirm that I see the same as you. The values saved to the session scope are getting lost or resetted when jsessionid is used as URL variable.

What happens if you use this button code for test in your test.cfm instead? Does it work as whished?

     <form name="testForm" id="testForm" action="test-2.cfm;jsessionid=#session.sessionid#?varA=1&varB=2" method="post">
        <input type="submit" name="seems to work" id="submit">

I’ve read the servlet 4.0 specs. There is some kind of URL-Rewrite envolved with jsessionid. It looks like the syntax for the default jsession needs to have preceding semi-colon in the URL like done above. Don’t know how this is implemented in depth with Lucee. Same issue applies when using #session.urlToken#. I’d say it’s a bug.

UPDATE: Need to correct myself. Seems to be a bug in urlsessionformat. Should we file a bug @cfmitrah?

Somehow yes and somehow no. When you change the sessiontype to “cfml” in the Application.cfc everything works fine. You can test it easily. But you’re right, I better should have used the title “The URLSessionFormat() function does not work when using JEE/J2EE sessions without using any cookies”.

Using URLSessionFormat (“test-2.cfm?varA=1&varB=2”) in ColdFusion 2016, exactly the syntax you used is returned as the result test-2.cfm;jsessionid=2888AE0275BDDACB2295269AB0AC54DF?varA=1&varB=2 and it owrks fine. But in Lucee it does not work.

Yes it should be like that and it should be the first parameter after the target page.

I agree.

Thank you for your support up to this point. I hope that this will also be confirmed as a bug by others and that I can then officially report the bug so that it will hopefully be fixed as soon as possible.

@andreas and @Knut I’ve checked this but it works fine for me with lucee latest version also. The session variable country is available with both “cfml” and “jee” session types.

I’ve done more tests and I can confirm that this is precisely where the error lies! Lucee appends the ‘jsessionid’ in a way that does not comply with the Java Servlet Specification 4.0. The specification describes the following under “7.1.3 URL Rewriting”:

7.1.3 URL Rewriting
URL rewriting is the lowest common denominator of session tracking. When a client will not accept a cookie, URL rewriting may be used by the server as the basis for session tracking. URL rewriting involves adding data, a session ID, to the URL path that is interpreted by the container to associate the request with a session.
The session ID must be encoded as a path parameter in the URL string. The name of
the parameter must be jsessionid. Here is an example of a URL containing encoded
path information:

The data stored in the session will definitely not be lost, but simply cannot be accessed because the ‘jsessionid’ is not encoded as a path parameter in the URL string.

This is a bug that the Lucee developers could probably fix quickly and easily.

@cfmitrah this is also what I’ve thought, but if you totally block cookies and you use URL variables only for navigation, the session variables are not retrieved and new sessionids are created. I’ve tested it in ACF and there the token is created with the semi-colon as specified in the servlet specs. Lucee don’t add it with a semi-colon, Lucee just adds it as a query variable.

@cfmitrah and @andreas
Did you really disabled ALL cookies in your browser?

@Knut you are right. Disable cookies in the browser and running test file throws error key [COUNTRY] doesn’t exist. ACF works fine. Could you please file a bug in Jira https://luceeserver.atlassian.net/ ?

@cfmitrah and @andreas
Thank you for confirming this as a bug. I’ll file this bug in Jira.

The bug is filed under: https://luceeserver.atlassian.net/browse/LDEV-3707

Here’s a short “reworked” workaround as UDF:

 * ------------------------------------
 * UDF: checkURLSessionFormat(urlStr)
 * ------------------------------------
 * WORKAROUND for LUCEE bug in 'URLSessionFormat()' function when using JEE/J2EE sessions without
 * accepting any cookies in the client browser.
 * --------------------------------------------------------------------------------------------------------
 * Posted under: https://dev.lucee.org/t/urlsessionformat-does-not-work-when-using-jee-j2ee-sessions/8836/5
 * Bug tracking: https://luceeserver.atlassian.net/browse/LDEV-3707
 * This function checks if cookies are enabled in the client browser and...
 *   EITHER: Returns the original URL (not modified) if cookies are enabled in the client browser.
 *   OR:     Rewrites the URL if cookies are NOT enabled in the client browser.
 * ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * NOTE: This function can be used with LUCEE and/or ACF.
 *       The code only applies if J2EE/JEE are used in LUCEE and/or ACF.
 * --------------------------------------------------------------------------------------------------------
 * USAGE: You either have to integrate this function directly into your code or you have to do the
 *        integration via <cfinclude> (or any CFC of your choice). Then use 'checkURLSessionFormat(urlStr)'
 *        in your code code instead of LUCEE'S function 'URLSessionFormat(urlStr)'.
 * ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * @urlStr  The URL string 
 * @return  Returns a string. 
 * @author  Knut Bewersdorff - TripTIX GmbH - Germany 2021
 * @version Version 2.0
// UDF: checkURLSessionFormat(urlStr)
public string function checkURLSessionFormat(required string urlStr) {
	// If the client browser accepts cookies, the 'JSESSIONID' cookie must exist.
	if (isDefined("COOKIE.JSESSIONID")) {
		// Return the original URL string (not modified)
		return urlStr;
	// If the client browser does NOT accept cookies
	else {
		// Check if there are any URL query parameters?
		if (REFindNoCase("\?",urlStr) GT 0) {
			// Append the SessionID in a correct syntax as the first URL path parameter by
			// replacing the question mark (?) with this: ";jsessionid=#session.sessionid#?". 
			// Rewrite the URL string and return it.
			return REReplaceNoCase(urlStr,"\?",";jsessionid=#session.sessionid#?","one");
		// If no URL query parameters were found
		else {
			// Rewrite the URL string and return it
			return urlStr & ";jsessionid=#session.sessionid#";

…and here’s a new test scenario (incl. my “reworked” workaround):
test_reworked.zip (3.2 KB)

1 Like