Welcome!

ColdFusion Authors: Yakov Fain, Pat Romanski, Liz McMillan, Maureen O'Gara, Greg Ness

Related Topics: ColdFusion

ColdFusion: Article

Persistence: Creating State

Persistence: Creating State
By Derrick Rapley
Article Rating:
November 11, 2003 12:00 AM EST
Reads:
 12,403

What is state? You may have heard the popular phrase, "The Web is a stateless environment." Simply put, data cannot persist across multiple page requests to the server. By nature, each request is independent of the others.

When building Web applications, we often have a need for persistent data, data that is available across multiple page requests while being unique to each user. There are many uses for persistent data, from checking to see if a user's session has timed out, to storing information about a user for use later in the application.

How Is State Created?
For data to persist, state must be created between the client and the application. In ColdFusion, state is created with two identifiers/variables that are unique to each user, CFID and CFTOKEN. For a state to persist, these two variables must be stored in one of two places: either in a cookie on the client's browser, or passed as variables in the URL with each page request. ColdFusion then uses the CFID and CFTOKEN to associate persistent data with each user by associating the values of these variables with CFID and CFTOKEN variables that are set in the client and session scopes. In ColdFusion, creating state is a fairly simple process.

Although persistent data can be stored in multiple places (in cookie, session, and client variables), that is not the focus of this article. Persistent variables will be covered in Part 2. This article will address the differences between using persistent and non-persistent (session) cookies, and how to maintain state when cookies aren't allowed or turned off.

Using Persistent Cookies for State
What is a "persistent cookie?" A persistent cookie is written to the client's hard drive as opposed to being stored in the client's memory. The cookie is so named because it will remain on the user's hard drive (persist) either until its specified expiration date or until it is removed by the user.

The easiest and simplest way to create state using persistent cookies is to use the SETCLIENTCOOKIES attribute of the tag <CFAPPLICATION> (see Listing 1). SETCLIENTCOOKIES is an optional attribute that defaults to "Yes" if not specified. Upon execution, two variables, CFID and CFTOKEN, are stored in a cookie on the client's browser if the client has enabled cookies.

Two other attributes are also included in <CFAPPLICATION>: CLIENTMANAGEMENT and SESSIONMANAGEMENT. These two attributes are optional for <CFAPPLICATION>, but at least one needs to be set to "Yes" in order for ColdFusion to write the cookie storing CFID and CFTOKEN to the client's browser. Although you may never need to reference these two variables, you can output their values with #cookie.cfid# and #cookie. cftoken# respectively. As stated above, ColdFusion uses CFID and CFTOKEN to associate persistent data with each unique user.

What is the advantage of using persistent cookies if session variables time out? The use of persistent cookies is advantageous when using client variables. Session variables typically time out after a period of inactivity. However, client variables can persist across multiple days, weeks, and even months (this setting is controlled in the ColdFusion Administrator). By using persistent cookies, client variables that were set weeks ago can still be accessed by a previous user. This could be a great way to store a user's preferences.

Seems too easy, what's the catch? Although creating state with persistent cookies is very easy, it does have some shortcomings. I'll give a scenario with two users, Joe and Adam. Joe logs on to an application at a public workstation. Some information about Joe is pulled from a database and stored in session variables (i.e., credit card, SSN, phone number, etc.). Joe does some work and closes all browser windows when he finishes.

Adam comes along a few minutes later and types in the URL for the same application, but the auto fill from the browser's history offers suggestions for other pages in the same application. Adam then selects one of the suggested URLs. Since it was only a few minutes between Joe and Adam, Joe's session hadn't expired and all of Joe's information is now available to Adam. Adam has the ability to navigate the application as Joe. Whether intentional or not, it could cause some serious damage.

Using persistent cookies in Web applications may also be frowned upon by some government agencies since persistent cookies are written to the client's hard drive. There may be requirements to use nonpersistent cookies.

Using Nonpersistent (Session) Cookies
As opposed to their counterpart, nonpersistent cookies are not written to the client's hard drive, but to the client's memory. Once all instances/windows of a browser are closed, then the nonpersistent cookie is erased from the client's memory.

Nonpersistent cookies can be set using the CFCOOKIE tag (see Listing 2). The key to creating a session cookie is to set the EXPIRES attribute in <CFCOOKIE> to "Now". EXPIRES is an optional attribute and defaults to "Now" if it is not specified. By specifying EXPIRES="Now", a cookie is written to the client's memory. If the cookie you are setting is already a persistent cookie on the client, setting EXPIRES="Now" removes the cookie from the cookie.txt file, leaving the cookie set in the client's memory. Setting session cookies can be created regardless of the value of SETCLIENTCOOKIES (Yes or No) in <CFAPPLICATION>.

In the example in Listing 2, I used the client-scope counterparts to set the cookie variables. You may use either the client- or session-scope counterparts of CFID and CFTOKEN to set the cookies, depending on if you have the CLIENTMANAGEMENT and SESSIONMANAGEMENT attributes enabled in <CFAPPLICATION>.

If Cookies Are Disabled
It is not uncommon to find users who may have cookies disabled for one reason or another. New to ColdFusion MX is a function, URLSessionFormat(), that appends the client information to the URL if the client has cookies disabled. If cookies are enabled, then no information is appended to the URL (see Listing 3).

Unfortunately, for developers using previous versions of ColdFusion, URLSessionFormat() is not an available function. If CLIENTMANAGEMENT is enabled in <CFAPPLICATION> the user may append the variable CLIENT.URLTOKEN to a link. Likewise, if SESSIONMANAGEMENT is enabled in <CFAPPLICATION>, the user may append SESSION.URLTOKEN to a link (see Listing 4). URLTOKEN is a concatenation of the CFID and CFTOKEN.

Using either method to append the CFID and CFTOKEN to a URL can become cumbersome since it has to be performed with every single link and form posted within the application. The one exception is that neither method is necessary when using <CFLOCATION> when setting ADDTOKEN="Yes". By setting the attribute ADDTOKEN="Yes", <CFLOCATION> will automatically append the URLTOKEN to the URL.

Conclusion
There is a myriad of possibilities to consider when creating state for an application. Although there is no wrong way to configure state management, the best solution is the one that fits your organization's or client's needs.

Published November 11, 2003 – Reads 12,403
Copyright © 2003 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Derrick Rapley

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.