Skip to main content
W
Wave_cult
Participant
October 20, 2010
Answered

Problem creating session

  • October 20, 2010
  • 1 reply
  • 980 views

Hello,

I'm using CF8 with Windows7.

In my CF administration session variables are enabled but not in J2EE mode.

In my application.cfc I have these lines :

<cfcomponent output="false">
    <cfset this.name="app">
    <cfset this.sessionManagement="true">
    <cfset this.loginStorage="session">
    <cfset this.setClientCookies="false">
    <cfset this.sessiontimeout="#createtimespan(0,0,20,0)#">

In my onRequest function I try to set a session variable :

                    <cfif (not(structKeyExists(session, "varName")))>
                        <cfset session.varName = createobject("component", "cfcs.componentName")>
                    </cfif>

Why  the session.varName isn't created ?

If I set the J2EE mode in cf administration everything goes right.

Unfortunately my provider hasn't the session variable in J2EE mode.

Thanks,

Davide

    This topic has been closed for replies.
    Correct answer ecobb

    Try setting setClientCookies="true".

    If it is set to false, then you have to pass the CFIDE and CFTOKEN as URL variables in every request in order for the sessions to work.  J2EE sessions ignore the ColdFusion session values, so by turning J2EE session on you eliminated the need for the CFIDE and CFTOKEN and your sessions started working.

    1 reply

    ecobb
    ecobbCorrect answer
    Inspiring
    October 21, 2010

    Try setting setClientCookies="true".

    If it is set to false, then you have to pass the CFIDE and CFTOKEN as URL variables in every request in order for the sessions to work.  J2EE sessions ignore the ColdFusion session values, so by turning J2EE session on you eliminated the need for the CFIDE and CFTOKEN and your sessions started working.

    W
    Wave_cultAuthor
    Participant
    October 21, 2010

    Thanks for your reply.

    Now I check my code to keep the CFIDE and CFTOKEN across pages.

    Is too dangerous to rely on the hope that every clients have cookies enabled.

    Davide

    T
    TheRealAgentK
    Participating Frequently
    October 21, 2010

    I tend to disagree. From my experience you can nowadays reasonably safely assume that people do have cookies enabled and/or depending on the type of your site. Not using cookies but pushing the CFID/CFTOKEN along in the URL has a lot of other issues:

    - people sending around a link to their friends via email or chat, potential of session hijacking

    - CFTOKEN is not highly secure - you at least want to set CF to use a UUID for CFTOKEN

    - You need to make sure that every link, every form action, every CFLOCATION etc. carries the CFID/CFTOKEN around, it's very easy to miss it in places

    Not all is lost though. There is a function call URLSessionFormat (http://livedocs.adobe.com/coldfusion/8/htmldocs/functions_t-z_11.html#139074) that might help you and offer best of both worlds. Using it will just append the URL data if the client doesn't accept the cookie. Have a look at the documentation and give that a try.

    Cheers

    Kai

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices