You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/recipes/session-handling.md
+24Lines changed: 24 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -200,6 +200,30 @@ or environment variable
200
200
LUCEE_READ_CFID_FROM_URL=false
201
201
```
202
202
203
+
### Client Identification in CFID
204
+
Lucee can enhance session security by embedding client information within the CFID. This feature helps prevent session hijacking by making it harder for one client to use another client's CFID.
205
+
206
+
Enable this feature using either system property:
207
+
```properties
208
+
-Dlucee.identify.client=true
209
+
```
210
+
or environment variable:
211
+
```bash
212
+
LUCEE_IDENTIFY_CLIENT=true
213
+
```
214
+
215
+
When enabled:
216
+
- The CFID includes a unique client identifier based on the client's characteristics (e.g., User-Agent)
217
+
- A session created for Client A cannot easily be used by Client B
218
+
- Maintains backward compatibility with older CFID patterns
219
+
- Sessions remain valid when downgrading Lucee versions
220
+
221
+
The client identification is derived from:
222
+
1. User-Agent header
223
+
2. If not available, falls back to accept header
224
+
3. If no identifying information is available, reverts to standard CFID generation
225
+
226
+
203
227
## Best Practices
204
228
205
229
Lucee tries to avoid creating sessions whenever possible. It only creates a session when:
0 commit comments