Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion

ColdFusion: Article

New Possibilities for Session/Client Variable Handling in CFMX

New Possibilities for Session/Client Variable Handling in CFMX

Tucked away among the press and praise about ColdFusion MX are some new options that could benefit every CF developer.

If you've seen them mentioned, they may not have seemed important at first glance, but I hope you'll give them consideration.

In this article I'll uncover some possibilities for session and client variable handling in CFMX - actually three new features you can choose to enable. I'll not only explain what they are, but why they're important and some other things to be aware of.

Are you thinking, "I already know about J2EE session variables"? That's not what this is all about. It is indeed one of the three new features, but the other two aren't dependent on that one and are of value to any CF developer. One of them doesn't even require any change to your code to obtain substantial benefits. The features are detailed under the following headings:

  • The New URLSessionFormat() Function
  • Using a UUID for CFTOKEN
  • Using J2EE Session Variables
Before proceeding, I should point out that, despite the name of the first new feature, both it and the second feature are related not just to session variable handling, but to supporting client variables as well. A few challenges that people have faced in working with both kinds of variables may indeed now be solved. You may even learn a new thing or two, as there are many misunderstandings about how these processes work. Let's start by setting the stage for the first feature.

Handling Session and Client Variables Without Cookies
The first new feature is a real hidden gem that hasn't been played up much at all. To understand its value, some background may be necessary. If you've needed to support session (or client) variables, you know that these features rely primarily on the browser supporting cookies to keep track of the user's identity (using what CF calls the CFID and CFTOKEN values it generates for each visitor).

Problems arise for browsers that don't support (or are by mandate not allowed to accept) cookies when they visit your site. In that case you must manually append the CFID and CFTOKEN to the URL used in any HTML you send to the browser that passes the user back to your server, such as <A HREF> and <FORM ACTION>. (The <CFLOCATION> tag also has an option called ADDTOKEN="yes" that accomplishes the same thing.)

If you haven't been paying attention to this issue, you may be suffering when users who don't support cookies visit your site. They never keep session variables from page to page, for instance. That can wreak havoc on a login process. And they also can't keep client variables from visit to visit.

The converse is that you shouldn't always append these values to a URL because that leaves your site open to several potential problems. If someone passed a bookmark of a URL with a given CFID/CFTOKEN pair shown, the user receiving that bookmarked URL would also now use the first user's CFID/CFTOKEN pair. Have you ever heard of two people seeming to share a session? This is one way it happens.

Another challenge is that someone can just guess at CFID/CFTOKEN values when displayed this way on a URL (more on another way to solve that problem in a moment).

So the optimal way to handle this (pre-CFMX) is to somehow test whether cookies are supported for the user running the template and then, only if they're not, append the CFID/CFTOKEN value. The code to do that isn't difficult, but getting it right and then placing that CFID logic around every instance of <A HREF>, <FORM ACTION>, or <CFLOCATION> (deciding whether to use ADDTOKEN="yes") could be challenging.

New URLSessionFormat() Function
Enter the new URLSessionFormat function. With this simple function you can now let CFMX worry about whether to append the CFID/CFTOKEN pair (and/or the JSessionID if using J2EE sessions, as discussed in a moment). Here's a simple example:

<cfoutput>
<a href="#URLSessionFormat
("MyPage.cfm?name=bob")#">
some link</a></cfoutput>
If CFMX detects that the browser executing this template isn't passing the needed cookie (CFID/CFTOKEN for CF session and client variables, JSessionID for J2EE session variables), then it will turn that output HTML into the following:

<a href="MyPage.cfm?name=
bob& cfid=xxxx&cftoken=xxxxxxxx">some link</a>
On the other hand, if CFMX detects that the needed cookies are being passed in by the browser, it leaves the identifiers off. Very cool! Note that it's smart enough to realize if the URL already has something in the query string (as it does above), in which case it uses an ampersand (&) to append the identifiers. Ta-da! (In that example I'm not yet showing what it looks like if J2EE sessions are being used.)

There is one gotcha: if you also need to use a URLEncodedFormat function for some part of the query string that has embedded spaces or special characters, it could become pretty cumbersome to use both functions in a single line of code, with embedded functions and strings within those functions. The following looks ugly, but it will work:

<cfoutput>
<a href="#URLSessionFormat
("MyPage.cfm?name=#URLEncoded
Format("billy bob")#")#">some link</a>
</cfoutput>
One other observation: I've noticed that when using J2EE sessions, it's possible for the resulting URL to appear in the format My Page.cfm;JSESSIONID=803094969 1025145133137?name=bob. Note that in this case the JSessionID is appended to the filename separated by a semicolon, rather than to the query string. Still, when that's happened, the URL has functioned as expected.

It may be worth pointing out that, technically, this function's name isn't completely accurate. It's needed not just for session variable handling but client variable handling as well. In other words, if you use client variables but not session variables, this is still the way to guarantee that the CFID/CFTOKEN pair needed for client variable support as well is sent to browsers that don't allow cookies. (Indeed, if client variables are in use in that previous example showing the JSessionID, then the CFID and CFTOKEN would be appended to the query string as they were above.)

You also shouldn't dismiss browsers that don't support cookies as being antiques not worthy of your concern: many organizations force users to disable cookie support in their browsers. This solution helps you support them as well.

Using a UUID for CFTOKEN
I mentioned previously that one of the challenges of CFID and CFTOKEN pairs is that if the value is displayed on the URL, it's just very easy to try to guess. The CFID/CFTOKEN values are just a few simple numbers. By trying different numbers, a user may be able to impersonate or "spoof" another user's session (or client) variables. (And this really isn't a concern just if you pass them on the URL. Anyone familiar with the process can simply type a CFID/ CFTOKEN pair on any URL running a CF template and, though the odds may be slim, possibly guess an active pair.)

So another new feature of CFMX, which has nothing to do with J2EE session variables, is that you can ask the server to generate more elaborate UUIDs (Universal Unique Identifiers) for the CFTOKEN. This is enabled in the Administrator, on the "server settings" page, by checking the option "Use UUID for cftoken". (The fact that this is not on the "memory variables" page reinforces the point that the CFTOKEN is used for both client and session variables.) You'll need to restart the CFMX server for this change to take effect. You needn't change any code to benefit from this new feature.

After enabling them, you may see that CFTOKEN values look more like this, as an example: 15ce46ab4e29a f0a-AF695847-F92F-344A-13325 2991FB6C3B5. (You can see it yourself with <cfoutput>#cftoken#</cf output>.) Definitely a lot harder to randomly guess an active value! It's a feature that probably should be enabled by all sites, just for the added protection. The only risk is if you have any code that for some reason relies on the CFTOKEN being the simpler 8-digit number (or are storing the CFTOKEN in a database column that needs to be widened).

A side note: The ability to use a UUID for CFTOKEN isn't really new in CFMX. It's just easier to enable. In CF4.5 and 5 it requires a manual registry change. See the Macromedia TechNote at www.macromedia.com/v1/Handlers/index.cfm?ID=22427&Method=Fullfor more information.

Using J2EE Session Variables
I mentioned in the first section that CF now supports "J2EE sessions." What are they? And why would you care? Well, as a coder, it's possible that they'd only add benefit and, again, there's little reason not to use them. It's another feature set in the CFMX Administrator, in the "memory variables" page, checking the "Use J2EE session variables" option and restarting the server.

J2EE sessions work by sending to the client a cookie not with CFID and CFTOKEN but JSessionID. (Again, if CFAPPLICATION has CLIENTMANAGEMENT="yes", then the CFID/CFTOKEN pair is still sent, to support client variables only.)

There's more to the difference between the CFID/CFTOKEN pair and JSessionID than the name. First, the JSessionID value is a more elaborate combination of characters (including a UUID). As mentioned previously, the default CFID/CFTOKEN pair values are simply a few numbers each. That may make them possible to guess. Then again, you've just learned that you can change the CFTOKEN to use a UUID, so that benefit may seem diminished.

But there are still more differences, and they can be very important to some. First, and coolest of all, is that J2EE sessions work the way most developers have long wished CF session variables would: when the user closes his or her browser, the session is terminated as well. Hallelujah!

How does the mechanism work that allows the session to terminate when the browser is closed? Maybe you've already guessed: the JSession-ID that's used for J2EE sessions is set as a nonpersistent (or "per-session" or "temporary") cookie. That means simply that the cookie value isn't stored persistently in the browser user's hard drive. It's held only in the browser's memory. When the browser (all its instances) is closed, the JSessionID is lost. On a subsequent visit in a new browser window, the user is given a new JSessionID.

Technically, the session will live on in CFMX's memory until it times out. But with the user no longer holding the JSessionID for it, it's effectively "terminated" as far as he or she is concerned.

This also points out another benefit of using J2EE sessions for those organizations that aren't allowed to use persistent cookies (such as the CFID and CFTOKEN cookie values set by CFMX and previous versions). These organizations can use J2EE sessions much more easily than they could CF-based sessions. Of course, there are ways in all releases of CF that they could force the CFID and CFTOKEN to be nonpersistent, as outlined in the Macromedia Tech-Note at www.macromedia.com/v1/Handlers/index.cfm?ID=21079&Method=Full. With J2EE sessions, they needn't bother with that.

One final benefit of using J2EE sessions, which may or may not impress most CF developers, is that using them allows sharing of session variables with JSP and servlet programs also run under CFMX. That could be valuable, if you start exploring that capability. For more about sharing session and application variables between CF and JSP/servlet pages, see Chapter 32 of the CFMX manual, Developing ColdFusion MX Applications with CFML, available online at http://livedocs.macromedia.com.

Summary
Again, there's more to what's new in session variable support in CFMX than just J2EE sessions. Those first two items are valuable to all CFMX developers and apply to client variables as well (and the second one can apply even to users of CF4.5 and 5). The features add new dimensions in security, flexibility, and capability. Check them out!

More Stories By Charlie Arehart

A veteran ColdFusion developer since 1997, Charlie Arehart is a long-time contributor to the community and a recognized Adobe Community Expert. He's a certified Advanced CF Developer and Instructor for CF 4/5/6/7 and served as tech editor of CFDJ until 2003. Now an independent contractor (carehart.org) living in Alpharetta, GA, Charlie provides high-level troubleshooting/tuning assistance and training/mentoring for CF teams. He helps run the Online ColdFusion Meetup (coldfusionmeetup.com, an online CF user group), is a contributor to the CF8 WACK books by Ben Forta, and is frequently invited to speak at developer conferences and user groups worldwide.

Comments (3) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
SS 10/20/04 11:28:11 AM EDT

I guess the only alternative left with us would be to force users to enable cookies in IE as MS is not going to address this issue when it has many on its plate. As far as MM is concerned, lets wait for the next release, something should come up.

charles arehart 09/08/02 04:36:00 AM EDT

I'd like to add a couple more observations about using J2EE sessions.

First, when you enable J2EE sessions, CFMX no longer creates the variables session.cfid and session.cftoken. If you're using those to attempt to persist sessions when (or in case) cookies aren't supported, those values are no longer available once you enable J2EE sessions.

You might think to try to use the available session.URLToken variable instead (or cookie.jsessionid, which does exist on the server while the page is being executed). Unfortunately, niether of these will work.

CFMX can only receive a jsessionid on a URL if it's appended after the filename and extension as ;jsessionid=nn, a format that was discussed in the article. This is the reason for the URLSessionFormat function, which was also discussed in the article.

But the caveats above explain why that's problematic in an IIS environment.

And it turns out that the problem above is even larger than I first learned.

If you enable J2EE sessions and then use CFLOCATION, and a browser executes the page but doesn't support cookies or doesn't present any to the page, CFMX will append the ;jsessionid after the filename and extension as discussed in the article. That's great for the built-in CFMX web server.

Unfortunately, if the redirection is to an IIS server (whether yours or another), the request will fail. Even using the ADDToken="no" won't stop it doing this.

Either MM needs to address this, or Microsoft needs to change IIS to allow this sort of URL.

charles arehart 09/03/02 05:44:00 PM EDT

I had mentioned in the article that the new URLSessionFormat would, when when using J2EE sessions, cause the resulting URL it generates to appear in the format templatename.cfm;JSESSIONID=803094969 1025145133137. Note that the JSessionID is appended to the filename separated by a semicolon, rather than to the query string.

I added that "Still, when that's happened, the URL has functioned as expected."

Well, I was doing testing at the time on the built-in CFMX web server. I've since discovered that if you're doing this on an IIS web server, the use of the ;jsessionid after the filename causes a 404 file not found. This is disappointing.

If you use J2EE session variables and are working under an IIS web server, don't use the URLSessionFormat, at least until this problem is resolved by MM. (The problem really ought to be solved by MS.)

@ThingsExpo Stories
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at Dell EMC, introduced a methodology for capturing, enriching and sharing data (and analytics) across the organization...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Analytic. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Val...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in compute, storage and networking technologies, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/...
Judith Hurwitz is president and CEO of Hurwitz & Associates, a Needham, Mass., research and consulting firm focused on emerging technology, including big data, cognitive computing and governance. She is co-author of the book Cognitive Computing and Big Data Analytics, published in 2015. Her Cloud Expo session, "What Is the Business Imperative for Cognitive Computing?" is scheduled for Wednesday, June 8, at 8:40 a.m. In it, she puts cognitive computing into perspective with its value to the busin...
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Val...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...