Problem creating session

Report · Oct 20, 2010

Hello,

I'm using CF8 with Windows7.

In my CF administration session variables are enabled but not in J2EE mode.

In my application.cfc I have these lines :

In my onRequest function I try to set a session variable :

Why the session.varName isn't created ?

If I set the J2EE mode in cf administration everything goes right.

Unfortunately my provider hasn't the session variable in J2EE mode.

Thanks,

Davide

Report · Oct 20, 2010

Try setting setClientCookies="true".

If it is set to false, then you have to pass the CFIDE and CFTOKEN as URL variables in every request in order for the sessions to work. J2EE sessions ignore the ColdFusion session values, so by turning J2EE session on you eliminated the need for the CFIDE and CFTOKEN and your sessions started working.

Report · Oct 21, 2010

Thanks for your reply.

Now I check my code to keep the CFIDE and CFTOKEN across pages.

Is too dangerous to rely on the hope that every clients have cookies enabled.

Davide

Report · Oct 21, 2010

I tend to disagree. From my experience you can nowadays reasonably safely assume that people do have cookies enabled and/or depending on the type of your site. Not using cookies but pushing the CFID/CFTOKEN along in the URL has a lot of other issues:

- people sending around a link to their friends via email or chat, potential of session hijacking

- CFTOKEN is not highly secure - you at least want to set CF to use a UUID for CFTOKEN

- You need to make sure that every link, every form action, every CFLOCATION etc. carries the CFID/CFTOKEN around, it's very easy to miss it in places

Not all is lost though. There is a function call URLSessionFormat (http://livedocs.adobe.com/coldfusion/8/htmldocs/functions_t-z_11.html#139074) that might help you and offer best of both worlds. Using it will just append the URL data if the client doesn't accept the cookie. Have a look at the documentation and give that a try.

Cheers

Kai

Report · Oct 21, 2010

+1 Kai

I now assume people have cookies enabled, and if they don't - screw 'em. There's only so far you can go to make sure your site is available to everyone and whilst keeping the IDs in the URL will work, as Kai points out there are security implications involved here; implications large enough that they normally massively outweigh the advantages of not needing cookies. You can't expect to run IE6 with cookies and Javascript disabled and be able to use the internet any more.

If it ever comes down to a decision between security and *anything*, you should be seriously questioning a decision if you don't decide that security is more important.

O.

Problem creating session

1 Correct answer