Session Cookies Redux

Someone posted to the CF-Talk list that they were having an issue with session management. If the user clicked the logout button/link they were logged out successfully but if they just closed the browser and then tried log in again

they were not logged in correctly because the code between the tag was not executed.

This is normal behavior in this case because the cfid and cftoken used to identify a session still exists on the clients machine even if they close the browser.

The 'issue' is that when setting up your application Coldfusion automatically sets the setClientCookies= true, this creates the session cookies on the client machine. Additionally these cookies have an expiry date set to the year 2037 by default, so when a user closes the browser their session isn't automatically expired. This means that any code that you have between the tag in your Application.cfc or Application.cfm page doesn't get executed

To ensure that a user is logged out when the browser is closed you can do two things.

  1. You can enable J2EE session management in the CF Administrator. Select the menu item Memory Variables and then check the box next to Use J2EE session variables. Make sure that "Enable Session Variables" is also checked.
  2. You can set up your application to use session cookies by:
    • setClientCookies = False this will force Coldfusion NOT to write the cfid and cftoken as cookies, which also means that you need to do it yourself.
    • Write the cfid and cftoken as session cookies
      <cfif not IsDefined("Cookie.CFID")>
      <CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="5">
      <CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#" >
      <CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#" >
      </CFLOCK>
      </cfif>

There are some definite benefits to using J2EE session over Coldfusion session Management (from the CF8 Documentation):

  • J2EE session management uses a session-specific session identifier, jsessionid, which is created afresh at the start of each session.
  • You can share session variables between ColdFusion pages and JSP pages or Java servlets that you call from the ColdFusion pages.
  • The Session scope is serializable (convertible into a sequence of bytes that can later be fully restored into the original object). With ColdFusion session management, the Session scope is not serializable. Only serializable scopes can be shared across servers.

My suggestion would be to use J2EE session management instead of Coldfusion session management because it is more secure and give you more options (mixed environment, clustering).

*NOTE: I posted about session cookies back in August but didn't mention the alternative J2EE session management so part of this is a repeat of my earlier post. It seems to pop up on a regular basis though :)

Happy Coding...

Related Blog Entries

1 Comments to "Session Cookies Redux"- Add Yours
Racquel Tejano's Gravatar Thanks! simple and straightforward tricks!
# Posted By Racquel Tejano | 4/10/11 1:45 PM

Powered By Railo

Subscribe

Subscribe via RSS
Follow garyrgilbert on Twitter Follow me on Twitter
Or, Receive daily updates via email.

Tags

adobe air ajax apple cf community cfml coldfusion examples ext flash flex google javascript jquery max2007 max2008 misc open source programming railo software technology ui

Recent Entries

No recent entries.

Blogroll

An Architect's View
CFSilence
Rey Bango
TalkingTree

Wish List

My Amazon.com Wish List