CFID & CFTOKEN
Hi there,
I’m creating a cart & payment system using
Coldfusion MX 6.1. I have two application servers which are load
balanced. So I cannot use sessions to track user logins and other
variables because if the load balancer diverts a request to the
other server where the session does not exist then the person will
be logged out.
So I’m forced to use client variables. I’m
against using cookies for better security. So the option left for
me is store client variables in database. So I’m using the
help of CFID & CFTOKEN to track logins and store client
variables in database.
Now the problem is I’m using URLSessionFormat function
to pass CFID & CFTOKEN to all pages after login. I have
following problems:
1) If I copy the URL, which contains the CFID & CFTOKEN,
close the browser and paste it in another browser window – it
opens up the page with out any authentication.
2) If I copy and paste the same URL on a browser window in
another PC, it works.
These two scenarios fail my security to the application. Can
anyone please advice a way to kill the CFID & CFTOKEN on
browser close or some mechanism to stop this occurring?
Any help is greatly appreciated.
Many thanks / Manu.
Greetings Steve and other URLSessionFormat fans.
The remote file of a XMLHttp request (Spry) among other
things is trying to set two sessions.variables.
I have been told that if the remote file doesn't know the
session CFID & CFTOKEN the new session variables wil not be
recognized, and to avoid that I should use URLSessionFormat.
Now, my original Spry request look like this:
var request_URL
="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
Spry.Utils.loadURL("GET", request_URL, false, authBack);
which returns values as expected but does not set the session
variables, so I combine it with URLSessionFormat, like this:
var request_URL =
'#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
The variable "request_URL" will render:
"/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
which causes Spry to catch an exception while loading the url
and the request fails altogether.
Please note the " ; " semicolumn sign between the filename
"authenticate.cfm" and "jsessionid=" which is not like
CF7.1 example
"myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
found in livedocs.
Is either my code, macromedia example, or both wrong?
Or maybe it needs some tweaking and fixing to replace the
semicolumn and put the question mark in the right place?
Pulling quite a few hair here. Thanks for helping.
Similar Messages
-
Cfid & cftoken keep resetting everytime time the page refreshes!!!!
I need some assistance. I have setup several CF applications and never had any issues with session/application management. However this time around every time I refresh the page it gives me a new cfid and cftoken. Obviously it won't allow me to keep my session and I get redirected to the log in page. Here is how I am setting up my application. Does anyone see any issues with this?
<cfscript>
This.name = 'ApplicationName';
this.clientmanagement="no";
This.sessionManagement = "yes";
This.applicationtimeout = CreateTimeSpan(0,1,0,0);
This.sessionTimeout = CreateTimeSpan(0,0,20,0);
This.scriptProtect="All";
This.setclientcookies = "no";
This.setdomaincookies = "no";
</cfscript>
Side question, when is the cfid and cftoken suppose to change? When I land on the page for the first time before I log in the cfid & cftoken get set. That will be the same cfid & cftoken for the full session. Then the cfid & cftoken gets dropped once the application has timed out? (maybe a dumb question...)
Please Help!!!If you setclientcookies to be FALSE ("no", whatever), then you need to deal with the CFID & CFTOKEN values yourself (generally by passing them on every URL in your site. Which is a right PitA.
Are you sure you meant to set it to FALSE?
Adam -
CFID & CFTOKEN added to URL by CF
CF automatically appends CFID & CFTOKEN to the URL when
using <div <span with id = a variable.
They are not appended when a constant is used.
I do not want these to be displayed unless I append them
myself.
Is this a CF bug, or can I change my code somehow?
I display a variable number of rows, so using a constant is
not a solution.
And, I use client and session variables throughout my app.
Please help me. Thanks a bunch.
<cfapplication name="myApp" sessiontimeout="20"
sessionmanagement="Yes"
setclientcookies="Yes" clientmanagement="Yes">
This is BAD ...
URL with the following code:
abc/action.cfm?CFID=1851&CFTOKEN=76141078
<div id="#style#">
<span id="#style#"
onclick="location.href='abc/action.cfm'">
<table><tr><td>info</td></tr></table>
</span>
</div>
This is GOOD ...
URL with the following code: abc/action.cfm
<div id="1001">
<span id="1001"
onclick="location.href='abc/action.cfm'">
<table><tr><td>info</td></tr></table>
</span>
</div>Greetings Steve and other URLSessionFormat fans.
The remote file of a XMLHttp request (Spry) among other
things is trying to set two sessions.variables.
I have been told that if the remote file doesn't know the
session CFID & CFTOKEN the new session variables wil not be
recognized, and to avoid that I should use URLSessionFormat.
Now, my original Spry request look like this:
var request_URL
="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
Spry.Utils.loadURL("GET", request_URL, false, authBack);
which returns values as expected but does not set the session
variables, so I combine it with URLSessionFormat, like this:
var request_URL =
'#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
The variable "request_URL" will render:
"/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
which causes Spry to catch an exception while loading the url
and the request fails altogether.
Please note the " ; " semicolumn sign between the filename
"authenticate.cfm" and "jsessionid=" which is not like
CF7.1 example
"myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
found in livedocs.
Is either my code, macromedia example, or both wrong?
Or maybe it needs some tweaking and fixing to replace the
semicolumn and put the question mark in the right place?
Pulling quite a few hair here. Thanks for helping. -
Missing session variables and multiple CFID/CFTOKEN
We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.
Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions. We have put troubleshooting measures in place that display values when this occurs.
We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next). These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers. In most instances, if the user switches browsers, the same application works fine for them.
In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”. If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.
When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag. ** We do not prefer to do this for security reasons.
Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.
Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.
Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.
Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.
The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.
1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.
2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.
3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions. -
Viewing active sessions (cfid/cftoken or J2EE sessionid)?
Hello... is it possible to view the active sessions, whether cfid/cftoken or the J2EE sessionid for any given site on my server? I believe you can store client variables in a datasource, but I don't believe you can do this with the cfid/cftoken or J2EE sessionid correct? I'd really like to be able to query these values. I'm using CF 7.02 now but will be moving to CF 9, so if it's a feature there that'd be great.
You can do it per application... but I'm not sure if there's a way of pulling out all the applications running on a given server. The last time I looked for that sort of thing, I seem to recall not finding it (that's not to say it's not there: I just couldn't find it!).
But for all sessions within an application: do a google on "cf sessiontracker". Various people have blogged about how to do what you need (if not exactly what you need, then enough to get you going in the right direction).
I thought I had some sample code that demonstrates it, but I don't :-(
Adam -
JSessionID, CFId/CFToken-Which is predictable?
I have results from our the new and improved PCI scan and it
comes up with one Medium risk vuln.
Description: The remote web application is using predictable
cookie-based session IDs. Ideally, session IDs are randomly
generated numbers that cannot be guessed by attackers. If the
session ID is predictable, an attacker could hijack an active
victim's session, allowing the attacker to interact with the server
as though they were the victim. If the session ID is used to track
the state of authentication, the session ID of an authenticated
user could be guessed, bypassing any need for a username or
password. In the case of this server, the session ID was found to
have an insignificant number of changes between session IDs, which
makes guessing very easy.
Remediation: The software needs to be either configured or
modified to generate random session IDs.
I currently have enabled
Use J2EE session variables
Assuming I'm getting flagged because of cfid/cftoken
predictablility I've setClientCookies = "no" and
clientmanagement="no" and restarted the service and everything
seems to be working with jsessionids alone... are there any
pitfalls to watch out with not using cfid/cftoken?
basic question before I pay for another scan is:
I was under the impression that jsessionids were the most
secure and a better alternative than cfid/cftoken. Is that not the
case?
EDIT: The scan occurred before I made the client variable
changes to the applicaiton.cfm (so I had both jsessionid and
cfid/cftoken being set) As of now only jsessionid is being setbased on what OWASP has to say
OWASP says
"Best practice calls for J2EE session management. In the
event that only ColdFusion session management is available, strong
security identifiers must be used. Enable this setting to change
the default 8-character CFToken security token string to a UUID.
http://www.owasp.org/index.php/Configuration"
It looks like the J2EE sessions are the way to go.
I believe the reason for the PCI flag is that the scan (at
least the one from the service we use) was looking at CFID alone. I
assume this because cftoken -was- set to use uuid so it should have
been secure. The scan probably doesn't know that cfid and cftoken
are used in conjunction. So in a way this is a false positive.
Based on the new standards coming in it is enough to be out of
compliance.
solution to be in compliance is to set clientmanagement="no"
and setclientcookies="no" in application.cfm so that cfid and
cftoken are not set at all By using only the jsessionid, you are
following best practices from OWASP and also get the benefits of
session end on browser close
Other thoughts still welcome -
Adoption of CFID/CFTOKEN from request for new session
Hi
We've noticed that ColdFusion automatically uses CFID/CFTOKEN
from the request, if there's no session available for this token
combination and ColdFusion creates a new session. Is there a way to
tell ColdFusion that it shouldn't use the values from the request
but generate a pair of its own?
Regards
Sargon10.12 is the latest and greatest SW version for the device (from mid-2010).
I'm sad to say, but this device model has been out of production already for a long while and no new SW releases can be expected. Also some of the things you listed are such, which would not even be fixable by new SW version, but would require other changes.
you could probably try updating e.g. the browser app to a newer version via http://download.browser.ovi.com.
http://www.microsoft.com/en/mobile/nokia-x-updates/
http://www.microsoft.com/en/mobile/nokia-x2-update/
http://www.microsoft.com/en/mobile/asha-software-update/
http://www.microsoft.com/en/mobile/support/software-update/wp8-software-update/
http://www.developer.nokia.com/Community/Wiki/Nokia_firmware_change_logs
https://twitter.com/LumiaSWUpdates -
CFID/CFTOKEN in URL Not Used
Hi, What I have is a website that uses a shared ssl site. Here is what happens
They are at the main site.: http://www.mysite.com/
They add a couple items to their cart
They enter the secure site to checkout: https://securesite.com/mysite/?cfid=1234&cftoken=5678
I check to see if they have items in their cart, if they don't, I kick them out of checkout
Sometimes this works just find and the session is recognized and I can see the items.
Other times it kicks back out and the session isn't recognized.
When I examine the cookies I can see that the secure site wrote its own cfid and cftoken values and is not using the ones passed through the URL.
If I delete those cookies and try again it works great
Is there a reason its not using the URL values, is there a way to force it to use the ones I pass in? Please let me know if there is a setting or something I should do.
First noticed this in Firefox and its also recently gone from CF8 to CF9.
Thanks!!Hey there,
the feature is named "Browse By Name" and is removed in current FF 4 version.
Here are some links to solution(s), most posted here at mozilla support:
http://support.mozilla.com/en-US/questions/790755
http://support.mozilla.com/en-US/questions/779034
http://kb.mozillazine.org/Location_Bar_search
https://support.mozilla.com/en-US/questions/791854
- also check the keyboard shortcut to automatically add www. and .com/.net/.org irrespectively to Browse By Name activated or not.
Alternatively you can instal the add-on:
https://addons.mozilla.org/en-US/firefox/addon/browse-by-name/
Cheers. -
We have a program that was wrote by a programmer whom is no longer with us. When I go to log in to the program for the first time, after I put in my username and password and hit sign in I receive a "404 - File or directory not found error." All I do is hit the back button and login again and it logs me in just fine. I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL. When I'm able to login successfully it just takes me straight to index.cfm
Can anyone tell me why its doing this and how to fix it? Its just annoying to have to login twice everytime. Thankscodyw725 wrote:
I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL. When I'm able to login successfully it just takes me straight to index.cfm
There are potentially 4 URLs involved here:
The URL to which the CFID and CFToken are appended;
The action page of the login form (Look into the code);
The page to which the user is sent when the login fails;
The index.cfm page.
It would be of interest to know whether 1. and 2., or whether 1. and 3., refer to the same page. -
Problem with Sessions & CFID Changing Unexpectedly
MY SETUP...
ColdFusion version 8.01 Standard
Hotfix version hf801-00002.jar
Java version 1.6.0_04
server OS Windows 2008 Enterprise 32bit
webserver IIS 7.0.6
database MySql 5.0.67
THE PROBLEM
For some visitors, every page on the website gives them a new CFID/CFTOKEN. I tried to narrow it down to a particular browser, but it's happening in every browser. It's only happening for some people. It was happening to me, then it stopped. Not sure what I did to fix it, but it's still happening to others.
I'm using CFID/CFTOKEN (or more recently, a random number stored in a session.variable) as their temporary ID when they add something to their shopping cart. Problem is, when the CFID or session value changes, the items in their cart are no longer associated with them anymore - their cart appears to be empty at that point.
For the love of God, what is causing the CFID and Session variables to change on every page? I am storing the client global variables in a MySql table which was setup by CF Administrator and appears to be working properly.
Lastly, this site has been working fine for years, all of the sudden after some PCI Compliance conformity and CF Patches, this problem arose, so I want to blame it on the patches, but I'm not sure.
Has anyone else ever had this problem? How did you fix it?It can also be (and will always be caused) by any user who's browser (or any part of the connection) does not maintain the cookies.
If the request does not contain a cookie with currently valid cfid|cftoken and|or cfsessionid values, ColdFusion will generate new ones. This can be cause by security settings in the browser, OS, firewall, proxy etc.
This has become an increasingly rare issue in modern Internet computing, but it was a fairly common back in the day when cookies where a new idea. -
How to Set up HTTPOnly and SECURE FLAG for session cookies
Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea?? -
Hi ,
We have deployed our application on tomcat server built on struts framework.
We have also set the domain name and are redirecting the domain name to Static Ip
where our application is deployed with URL Masking option enabled.
Everything is working fine in Firefox.But in IE6 and IE7 we are facing issues related to sessions.
Example:
it works when we access directly
http://156.78.78.89:8000/myapp/login.do?method=display
when i redirect this with a domain name(with URL masking enabled) like
http://www.mydomain.com It does not work.
I am not able to login into application(using sessions of this) or use shopping cart(using cookies)
Cookies are getting disabled and there is no session maintainance.
Is it problem with struts config or tomcat server?
I am unable to take my application live because of this issue.
Please help me to solve. Thank you for your time and consideration
email:[email protected]Hi BKBK,
I'm using CF10 and aplicaction.cfc
<!--- Define the application settings. --->
<cfset THIS.name= "GuarderiasGMX2"/>
<cfset THIS.applicationTimeout = createTimeSpan( 0, 1, 0, 0 ) />
<cfset THIS.sessionManagement = true />
<cfset THIS.sessionTimeout = createTimeSpan( 0, 1, 0, 0 ) />
I don't use cookies to set the session. I only use cfcookie for kill the session on the application.cfc when the user sign out.
<cffunction
name="onRequestStart"
access="public"
returntype="boolean"
output="false"
hint="I initialize the page request.">
<!--- Define the local scope.--->
<cfset var local = {} />
<!--- --------------------------------------------- --->
<!--- --------------------------------------------- --->
<!---
Check to see if we killed the session timeout in the
psuedo constructor. If we did, we can / should now
kill the cookies for the current session and then
redirect such that the user can get their new session.
--->
<cfif structKeyExists( url, "killSession" )>
<!---
Clear all of the session cookies. This will
expire them on the user's computer when the
CFLocation executes.
--->
<cfloop
index="local.cookieName"
list="cfid,cftoken,cfmagic">
<!--- Expire this session cookie. --->
<cfcookie
name="#local.cookieName#"
value=""
expires="now"
/>
</cfloop>
<!---
Redirect back to the primary page (so that we dont
have the killSession URL parameter visible).
--->
<cflocation
url="index.cfm"
addtoken="false"
/>
</cfif>
Regards -
How to pass session variables via the URL in CF10?
Hi
I have a client with some old Flash functionality (AS2). The SWF allows the user to upload an image. However a new session is being started when the upload script is called. I have added the CFID, CFTOKEN and JSESSIONID to the URL as I did in the past to maintain the session but I believe you cannot do this anymore with CF10, if this is correct can anyone point me in the right direction of how I would accomplish maintaining the session for the upload?
This has a note about CF 10 - http://forums.adobe.com/thread/1178420
Kind regards
ShaunHi Shaun
Are you facing the same issue with all the browsers?
Thanks
VJ -
Cfapplication troubleshooting help
A little help for a rusty CF programmer. It's been a while
since I created a site using CF (2 yrs.) and am currently working
on a new project, where I thought I could just snag a bunch of code
from an old site I did that was very similar. I'm on a register.com
server running CF5. I'm not completely sure they've made the DSN
connection in CF Admin yet, since I haven't received an email
confirmation, but I was testing the site today to see if at least
the CF5 service was running yet.
Here's the error:
Error Diagnostic Information
An error has occurred while processing the expression:
session.auth=CFTempOnlyForSetVariableNeverUseThisNameInYourCFMLCode122333444455555654321
Error near line 1, column 1.
Attempt to access a Session variable when session management
is not enabled. Use the CFAPPLICATION tag to enable session
management.
Note: This feature may have been disabled by the site
administrator.
The error occurred while processing an element with a general
identifier of (CFPARAM), occupying document position (8:1) to
(8:45).
Date/Time: 06/22/07 09:47:58
Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4[/h]
Here is what my application.cfm code looks like:
<!--- security measures. set logged in to default no
--->
<CFPARAM name="session.auth" DEFAULT="FALSE">
<!--- Application parameters defined --->
<CFAPPLICATION name="js2" clientmanagement="Yes"
sessionmanagement="Yes" sessiontimeout="#CreateTimeSpan(0,1,0,0)#"
applicationtimeout="#CreateTimeSpan(0,1,0,0)#">
<!--- session timeout has been set for 1 hours,
application timeout has been set for 1 hour --->
<!--- set certain variables --->
<CFSET Application.DSN = "js2">
<cflock name="quickLock" timeout="20"
throwontimeout="yes">
<cfif NOT IsDefined("session.rollcount")>
<cfset session.rollcount = 1>
<cfcookie name="isOn" value="Testing">
<cfset application.addToken =
"cfid=#Client.cfid#&cftoken=#client.cftoken#">
<cfelse>
<!--- check to see if cookies are on. If not, make a
query string variable with the CFID and CFTOKEN variables --->
<cfset application.addToken = IIF(NOT
IsDefined("cookie.isOn"),
DE("cfid=#client.cfid#&cftoken=#client.cftoken#"), DE(""))>
</cfif>
</cflock>
<!--- cfif --->
As you can see I have cfapplication in the code and
sessionmanagement has been set to yes. Any ideas? Thanks.Turns out the response from tech support at register.com says
that I cannot use sessionmanagement. If I read their response
correctly. I find that rather odd. I suppose they don't want to tie
up their servers with extra memory. -
Version migration, shared ssl, session variables
I'm migrating a shopping cart application from Cold Fusion
4.5 to a new server running MX 7, and have run into a weird problem
transferring session variables.
Basically, there's two sites running on one physical server.
The catalog, and then the shared ssl checkout pages. I'll call them
catalog.com and sharedssl.com.
Under 4.5, if I passed CFID & CFTOKEN in a link from
identically named applications on catalog.com to sharedssl.com, the
session and all its associated variables would transition
seamlessly forward. Under MX, this is no longer happening. The
*very first page* on sharedssl.com (the one that was directly
passed CFID & CFTOKEN) will have access to those variables, but
any subsequent pages on sharedssl.com will just throw errors.
Looking at the debugging info, it's obvious that under MX a
new CFID and CFTOKEN are being assigned when the user goes to
sharedssl.com, regardless of the session id that was passed on; as
soon as the "old" CFID & CFTOKEN aren't being explicitly
mentioned, the "new" ones take over, resulting in a completely
blank session.
Has anyone else experienced anything similar? Is there a
simple fix?
I have some ideas on how to make this work, but I'd really
like to keep this projection a "migration," and not, ie., a
"rewrite." I guess I'm wondering whether there's a configuration
checkbox I'm unaware of, or perhaps some arcane option in
cfapplication that will restore the old behavior.
Thanks for any help,
TimOn which page is the following code?
After login, user is validated and set values to those session.variables:
........user validation codes here......................
<cfif mylogin NEQ true>
<cflocation url="/login/login.cfm">
<cfabort
<cfelse>
<cfset session.loggedin="Yes">
<cfset session.username="#Trim(Form.username)#">
<CFSET qUserRights = LoginObj.getUserRights('#Trim(Form.username)#')>
<cfset session.userrights = qUserRights><!--- it's a query --->
<CFSET qUserGroup = LoginObj.getUserGroup('#Trim(Form.username)#')>
<cfloop query="qUserGroup">
<cfset session.usergroup = user_group>
<cfbreak>
</cfloop>
<!--- ****************** ???????????????????????????????????????????????????????????????????????????
When I do cfdump in at this level, I can see that all of these session variables have been assigned to their values.
But these session variables are not accessible from other pages. Other pages still show these session variable without its value.
So, when I use these cfdumps in the index.cfm it is shown as they're not yet assigned with any values ****************** --->
<cfdump var="#session.loggedin#">
<cfdump var="#session.username#">
<cfdump var="#session.userright#">
<cfdump var="#session.usergroup#">
</cfif>
Maybe you are looking for
-
Photoshop CC 14.1.2 Update
How can I update to Photoshop 14.1.2 on Mac? I've checked my CC panel, in the Photoshop via Updates drop-down menu, deleting the cache and suggested files from the articles on other forums, ending up reinstalling the entire suite, but still no succes
-
Populate error message if not selected any of the check box in select scren
hi, I am working on a bdc program to upload selected fields, I have populated my 10 fields on selection screen. Given one check box for test run. If I have selected test run check box and not selected any of the field check boxes, it has t
-
Hi All, i have made a portlet in which i am using rich text editor for talking description of a portlet suppose i copied the content from the website and put it in description section as, �Kizashi� after click on save button it shows the content like
-
Calendar events one hour ahead
Hi Just got my new 4s and have synced my calendars between Outllok on Windows 7 and my phone. I have an evet that runs every Friday between 18:45 and 20:00 which is set up as a recurring event. It displays fine on my calendar at the minute by looki
-
HT4667 why can't i get the download to install on my macbook pro for the air port express
why can't i get the download to install on my macbook pro for the air port express ?