Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Session and cookie Questions???

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
I have a few questions and hope my problems could help others learn. I am working on a coldfusion application and for security reasons it is imperative that I have no variables in the url string and also be able to pass and set session varibles with cookies turned off in browsers 4.0 and up.

I would think it would have something to do with pass the cf_id and cf_token? I thought I read about some code to check if cookie are on and then you have to use the cf_id and cf_token. I can recall where it was.

And is there anything wrong with not setting,
For example: session.login to true and just setting the session.userid after the SQL query that checks the form.userid and form.password gets a record?

and use the

<CFIF NOT IsDefined(&quot;Session.userid&quot;) >
<CFLOCATION URL=&quot;../Login.cfm&quot;>
</CFIF>

code in the application.cfm of the secured directory/area?

and the issue i would like to understand is should I use the <cf_lock> everytime I set the session varibles I use like session.usermessage, session.usercount and session.userid.
Example:
<cflock timeout=&quot;10&quot;>
<CFSET session.userid=form.userid>
</cflock>

Thanks for any Help..........
Howcouldi


 
Sort by date Sort by votes
As far as sessions without cookies go, you will have to pass the Cfid & Cftokens as url variables. I'm not aware of any other way that CF can maintain sessions if these are not present. If they don't exist as cookies, CF will then check for their existence as url variables. If they don't exist in the url scope, CF will create a new pair (there may be other scopes it checks but I'm not aware of any). To see this behavior, create a script that only outputs their values such as:

<cfapplication name=&quot;test&quot; sessionmanagement=&quot;yes&quot;>
<cfoutput>CFid - #cfid#<p>CFtoken - #cftoken#</cfoutput>

Then turn off cookies and reload the page. You should see them change with each new page request.

To keep your session alive if the visitor has cookies turned off, you will have to pass these to each new page the visitor goes to. This means that:

1. Every link must pass them as in <a href=&quot;page2.cfm?cfid=#cfid#&cftoken=#cftoken#&quot;>Page 2</a>
2. Every form must pass them as in <form method=&quot;post&quot; action=&quot;page2.cfm?cfid=#cfid#&cftoken=#cftoken#&quot;>
3. Every page in your site which the visitor can go to must be a CF script (a few exceptions like pop-up windows).

In regards to your locking question, Allaire recommends locking any variables which exist in a shared scope. Even though session variables are accessed by a single person, there are a number of situations where a single visitor could access the same session variable at the same time. If your site uses frames, the visitors browser could request multiple pages at the same time which depending on your code could try to write to the same variable at the same time. Allaire has a good article on the subject at
In practice, I don't lock session variable writes as it's more time consuming and very unlikely to cause a problem but it's still technically wrong.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RosieGp
  • Locked
  • Question
How to read string of 0s and 1s 1
Replies
3
Views
753
LyndonOHRC
LyndonOHRC
HansKok
  • Locked
  • Question
Error after only changing text and not codes
Replies
0
Views
575
HansKok
HansKok
MDEJAKE
  • Locked
  • Question
autosuggest (cfc and jquery) help
Replies
0
Views
287
MDEJAKE
MDEJAKE
oshinwa
  • Locked
  • Question
Which Call collector should I use and which one is compatible with my Ericsson BP250?
Replies
0
Views
646
oshinwa
oshinwa
lwfg
  • Locked
  • Question
session variable timeout problem
Replies
2
Views
258
lwfg
lwfg

Part and Inventory Search

Sponsor

Back
Top