Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion

ColdFusion: Article

New Possibilities for Session/Client Variable Handling in CFMX

New Possibilities for Session/Client Variable Handling in CFMX

Tucked away among the press and praise about ColdFusion MX are some new options that could benefit every CF developer.

If you've seen them mentioned, they may not have seemed important at first glance, but I hope you'll give them consideration.

In this article I'll uncover some possibilities for session and client variable handling in CFMX - actually three new features you can choose to enable. I'll not only explain what they are, but why they're important and some other things to be aware of.

Are you thinking, "I already know about J2EE session variables"? That's not what this is all about. It is indeed one of the three new features, but the other two aren't dependent on that one and are of value to any CF developer. One of them doesn't even require any change to your code to obtain substantial benefits. The features are detailed under the following headings:

  • The New URLSessionFormat() Function
  • Using a UUID for CFTOKEN
  • Using J2EE Session Variables
Before proceeding, I should point out that, despite the name of the first new feature, both it and the second feature are related not just to session variable handling, but to supporting client variables as well. A few challenges that people have faced in working with both kinds of variables may indeed now be solved. You may even learn a new thing or two, as there are many misunderstandings about how these processes work. Let's start by setting the stage for the first feature.

Handling Session and Client Variables Without Cookies
The first new feature is a real hidden gem that hasn't been played up much at all. To understand its value, some background may be necessary. If you've needed to support session (or client) variables, you know that these features rely primarily on the browser supporting cookies to keep track of the user's identity (using what CF calls the CFID and CFTOKEN values it generates for each visitor).

Problems arise for browsers that don't support (or are by mandate not allowed to accept) cookies when they visit your site. In that case you must manually append the CFID and CFTOKEN to the URL used in any HTML you send to the browser that passes the user back to your server, such as <A HREF> and <FORM ACTION>. (The <CFLOCATION> tag also has an option called ADDTOKEN="yes" that accomplishes the same thing.)

If you haven't been paying attention to this issue, you may be suffering when users who don't support cookies visit your site. They never keep session variables from page to page, for instance. That can wreak havoc on a login process. And they also can't keep client variables from visit to visit.

The converse is that you shouldn't always append these values to a URL because that leaves your site open to several potential problems. If someone passed a bookmark of a URL with a given CFID/CFTOKEN pair shown, the user receiving that bookmarked URL would also now use the first user's CFID/CFTOKEN pair. Have you ever heard of two people seeming to share a session? This is one way it happens.

Another challenge is that someone can just guess at CFID/CFTOKEN values when displayed this way on a URL (more on another way to solve that problem in a moment).

So the optimal way to handle this (pre-CFMX) is to somehow test whether cookies are supported for the user running the template and then, only if they're not, append the CFID/CFTOKEN value. The code to do that isn't difficult, but getting it right and then placing that CFID logic around every instance of <A HREF>, <FORM ACTION>, or <CFLOCATION> (deciding whether to use ADDTOKEN="yes") could be challenging.

New URLSessionFormat() Function
Enter the new URLSessionFormat function. With this simple function you can now let CFMX worry about whether to append the CFID/CFTOKEN pair (and/or the JSessionID if using J2EE sessions, as discussed in a moment). Here's a simple example:

<cfoutput>
<a href="#URLSessionFormat
("MyPage.cfm?name=bob")#">
some link</a></cfoutput>
If CFMX detects that the browser executing this template isn't passing the needed cookie (CFID/CFTOKEN for CF session and client variables, JSessionID for J2EE session variables), then it will turn that output HTML into the following:

<a href="MyPage.cfm?name=
bob& cfid=xxxx&cftoken=xxxxxxxx">some link</a>
On the other hand, if CFMX detects that the needed cookies are being passed in by the browser, it leaves the identifiers off. Very cool! Note that it's smart enough to realize if the URL already has something in the query string (as it does above), in which case it uses an ampersand (&) to append the identifiers. Ta-da! (In that example I'm not yet showing what it looks like if J2EE sessions are being used.)

There is one gotcha: if you also need to use a URLEncodedFormat function for some part of the query string that has embedded spaces or special characters, it could become pretty cumbersome to use both functions in a single line of code, with embedded functions and strings within those functions. The following looks ugly, but it will work:

<cfoutput>
<a href="#URLSessionFormat
("MyPage.cfm?name=#URLEncoded
Format("billy bob")#")#">some link</a>
</cfoutput>
One other observation: I've noticed that when using J2EE sessions, it's possible for the resulting URL to appear in the format My Page.cfm;JSESSIONID=803094969 1025145133137?name=bob. Note that in this case the JSessionID is appended to the filename separated by a semicolon, rather than to the query string. Still, when that's happened, the URL has functioned as expected.

It may be worth pointing out that, technically, this function's name isn't completely accurate. It's needed not just for session variable handling but client variable handling as well. In other words, if you use client variables but not session variables, this is still the way to guarantee that the CFID/CFTOKEN pair needed for client variable support as well is sent to browsers that don't allow cookies. (Indeed, if client variables are in use in that previous example showing the JSessionID, then the CFID and CFTOKEN would be appended to the query string as they were above.)

You also shouldn't dismiss browsers that don't support cookies as being antiques not worthy of your concern: many organizations force users to disable cookie support in their browsers. This solution helps you support them as well.

Using a UUID for CFTOKEN
I mentioned previously that one of the challenges of CFID and CFTOKEN pairs is that if the value is displayed on the URL, it's just very easy to try to guess. The CFID/CFTOKEN values are just a few simple numbers. By trying different numbers, a user may be able to impersonate or "spoof" another user's session (or client) variables. (And this really isn't a concern just if you pass them on the URL. Anyone familiar with the process can simply type a CFID/ CFTOKEN pair on any URL running a CF template and, though the odds may be slim, possibly guess an active pair.)

So another new feature of CFMX, which has nothing to do with J2EE session variables, is that you can ask the server to generate more elaborate UUIDs (Universal Unique Identifiers) for the CFTOKEN. This is enabled in the Administrator, on the "server settings" page, by checking the option "Use UUID for cftoken". (The fact that this is not on the "memory variables" page reinforces the point that the CFTOKEN is used for both client and session variables.) You'll need to restart the CFMX server for this change to take effect. You needn't change any code to benefit from this new feature.

After enabling them, you may see that CFTOKEN values look more like this, as an example: 15ce46ab4e29a f0a-AF695847-F92F-344A-13325 2991FB6C3B5. (You can see it yourself with <cfoutput>#cftoken#</cf output>.) Definitely a lot harder to randomly guess an active value! It's a feature that probably should be enabled by all sites, just for the added protection. The only risk is if you have any code that for some reason relies on the CFTOKEN being the simpler 8-digit number (or are storing the CFTOKEN in a database column that needs to be widened).

A side note: The ability to use a UUID for CFTOKEN isn't really new in CFMX. It's just easier to enable. In CF4.5 and 5 it requires a manual registry change. See the Macromedia TechNote at www.macromedia.com/v1/Handlers/index.cfm?ID=22427&Method=Fullfor more information.

Using J2EE Session Variables
I mentioned in the first section that CF now supports "J2EE sessions." What are they? And why would you care? Well, as a coder, it's possible that they'd only add benefit and, again, there's little reason not to use them. It's another feature set in the CFMX Administrator, in the "memory variables" page, checking the "Use J2EE session variables" option and restarting the server.

J2EE sessions work by sending to the client a cookie not with CFID and CFTOKEN but JSessionID. (Again, if CFAPPLICATION has CLIENTMANAGEMENT="yes", then the CFID/CFTOKEN pair is still sent, to support client variables only.)

There's more to the difference between the CFID/CFTOKEN pair and JSessionID than the name. First, the JSessionID value is a more elaborate combination of characters (including a UUID). As mentioned previously, the default CFID/CFTOKEN pair values are simply a few numbers each. That may make them possible to guess. Then again, you've just learned that you can change the CFTOKEN to use a UUID, so that benefit may seem diminished.

But there are still more differences, and they can be very important to some. First, and coolest of all, is that J2EE sessions work the way most developers have long wished CF session variables would: when the user closes his or her browser, the session is terminated as well. Hallelujah!

How does the mechanism work that allows the session to terminate when the browser is closed? Maybe you've already guessed: the JSession-ID that's used for J2EE sessions is set as a nonpersistent (or "per-session" or "temporary") cookie. That means simply that the cookie value isn't stored persistently in the browser user's hard drive. It's held only in the browser's memory. When the browser (all its instances) is closed, the JSessionID is lost. On a subsequent visit in a new browser window, the user is given a new JSessionID.

Technically, the session will live on in CFMX's memory until it times out. But with the user no longer holding the JSessionID for it, it's effectively "terminated" as far as he or she is concerned.

This also points out another benefit of using J2EE sessions for those organizations that aren't allowed to use persistent cookies (such as the CFID and CFTOKEN cookie values set by CFMX and previous versions). These organizations can use J2EE sessions much more easily than they could CF-based sessions. Of course, there are ways in all releases of CF that they could force the CFID and CFTOKEN to be nonpersistent, as outlined in the Macromedia Tech-Note at www.macromedia.com/v1/Handlers/index.cfm?ID=21079&Method=Full. With J2EE sessions, they needn't bother with that.

One final benefit of using J2EE sessions, which may or may not impress most CF developers, is that using them allows sharing of session variables with JSP and servlet programs also run under CFMX. That could be valuable, if you start exploring that capability. For more about sharing session and application variables between CF and JSP/servlet pages, see Chapter 32 of the CFMX manual, Developing ColdFusion MX Applications with CFML, available online at http://livedocs.macromedia.com.

Summary
Again, there's more to what's new in session variable support in CFMX than just J2EE sessions. Those first two items are valuable to all CFMX developers and apply to client variables as well (and the second one can apply even to users of CF4.5 and 5). The features add new dimensions in security, flexibility, and capability. Check them out!

More Stories By Charlie Arehart

A veteran ColdFusion developer since 1997, Charlie Arehart is a long-time contributor to the community and a recognized Adobe Community Expert. He's a certified Advanced CF Developer and Instructor for CF 4/5/6/7 and served as tech editor of CFDJ until 2003. Now an independent contractor (carehart.org) living in Alpharetta, GA, Charlie provides high-level troubleshooting/tuning assistance and training/mentoring for CF teams. He helps run the Online ColdFusion Meetup (coldfusionmeetup.com, an online CF user group), is a contributor to the CF8 WACK books by Ben Forta, and is frequently invited to speak at developer conferences and user groups worldwide.

Comments (3)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Intel is an American multinational corporation and technology company headquartered in Santa Clara, California, in the Silicon Valley. It is the world's second largest and second highest valued semiconductor chip maker based on revenue after being overtaken by Samsung, and is the inventor of the x86 series of microprocessors, the processors found in most personal computers (PCs). Intel supplies processors for computer system manufacturers such as Apple, Lenovo, HP, and Dell. Intel also manufactu...
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
OpsRamp is an enterprise IT operation platform provided by US-based OpsRamp, Inc. It provides SaaS services through support for increasingly complex cloud and hybrid computing environments from system operation to service management. The OpsRamp platform is a SaaS-based, multi-tenant solution that enables enterprise IT organizations and cloud service providers like JBS the flexibility and control they need to manage and monitor today's hybrid, multi-cloud infrastructure, applications, and wor...
The Master of Science in Artificial Intelligence (MSAI) provides a comprehensive framework of theory and practice in the emerging field of AI. The program delivers the foundational knowledge needed to explore both key contextual areas and complex technical applications of AI systems. Curriculum incorporates elements of data science, robotics, and machine learning-enabling you to pursue a holistic and interdisciplinary course of study while preparing for a position in AI research, operations, ...
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
Tapping into blockchain revolution early enough translates into a substantial business competitiveness advantage. Codete comprehensively develops custom, blockchain-based business solutions, founded on the most advanced cryptographic innovations, and striking a balance point between complexity of the technologies used in quickly-changing stack building, business impact, and cost-effectiveness. Codete researches and provides business consultancy in the field of single most thrilling innovative te...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...