Skip to main content
G
garyheAu
Participant
November 11, 2009
Question

Sticky session without cookie is broken

  • November 11, 2009
  • 2 replies
  • 890 views

Hi,

I need help from you guys to confirm this is something not supported by newer version of Coldfusion any more.

Background:

This is for a mobile on-deck site of a carrier in Australia. The carrier append an unique ID (a 10 digit number) by HTTP header to each handset’s http request to the Coldfusion server. Our Coldfusion code saved this ID in a variable called request.uid. Considering that not all handsets support cookie, we turned off client cookies and instead use the following code to tell the Coldfusion server that a CFID and CFTOKEN has been passed to it in query string. No CFID and CFTOKEN were actually passed in the query string. We just used our code to pretend a CFID and CFTOKEN were passed (the actual value was not set by Coldfusion server but externally by our code) . This code had been working for years which enabled us not to depend on client cookies and CFID/CFTOKEN in query string to maintain sessions for on-deck mobile sites. However, this code started not to work after we applied a coldfusion hotfix 2 (http://kb2.adobe.com/cps/403/kb403781.html) in September on coldfusion 8.0.1. Every request will start a new session rather than stick to the same session after that.

<cfset url.cfid = "#request.uid#">

<cfset url.cftoken = 0>

<cfapplication name="hww_#request.site_id#" sessionmanagement="Yes"

                setclientcookies="No" sessiontimeout="0.1" applicationtimeout="0.1">

Can someone please verify that the above logic is not supported by new versions of Coldfusion anymore?

Thanks.

This topic has been closed for replies.

2 replies

A
Adam Cameron.
Inspiring
November 17, 2009

What is a typical value for request.uid?

--

Adam

G
garyheAuAuthor
Participant
November 17, 2009

thanks Adam, request.uid can be any string between 0000000000 and 9999999999.

- Gary

A
Adam Cameron.
Inspiring
November 18, 2009

OK that's interesting.  I had found your technique would not work if the value for request.uid was not numeric, but otherwise works fine (on CF 8.0.1).

My test rig is thus:

<!--- Application.cfm --->

<cfset request.uid = "9999999999">
<cfset request.site_id = "fakeIdToken">


<cfset url.cfid = "#request.uid#">
<cfset url.cftoken = 0>
<cfapplication name="hww_#request.site_id#"
    sessionmanagement="Yes"
    setclientcookies="yes"
    sessiontimeout="#createTimeSpan(0,0,20,0)#"
    applicationtimeout="#createTimeSpan(0,2,24,0)#">

<cfparam name="session.ts" default="#now()#">

<cfdump var="#url#" label="url">
<cfdump var="#request#" label="request">
<cfdump var="#session#" label="session">
<cfdump var="#CGI#" label="CGI">  

And then I hit another page in the same dir.

With any numeric value of request.uid, sessio.ts sticks.  For non-numerics, it's ignored and CF creates its own CFID/CFTOKEN.

Are you sure about your UID values?

--

Adam

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
November 15, 2009

I would check whether the use of application and session variables has been enabled in the Administrator. Further, I would set setclientcookies to 'yes'. It will be ignored anyway if the client doesn't support cookies.

Also, instead of using 0.1 days for 2 hours 24 minutes, as you have done, I would stick to custom and use the function createTimeSpan. The session timeout could also be shorter. Here goes:


<cfset url.cfid = "#request.uid#">
<cfset url.cftoken = 0>
<cfapplication name="hww_#request.site_id#"
    sessionmanagement="Yes"
    setclientcookies="yes"
    sessiontimeout="#createTimeSpan(0,0,20,0)#"
    applicationtimeout="#createTimeSpan(0,2,24,0)#">

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices