Wednesday, August 4, 2010

How to write CFID and CFTOKEN as per-session cookies?

Cookies are normally saved to the client's hard drive in a text file. To ensure that a user's session ends when they close their browser, save the cfid and cftoken values as per-session cookies instead. Per-session cookies aren't written as a text file to the users's computer; they are stored in memory and are deleted when the browser is closed. If a new browser window is opened and they revisit the same ColdFusion web site, the cfid and cftoken values that previously identified them no longer exist, causing ColdFusion to create a new session for that user.


<cfapplication
name="myapp"
sessionmanagement="Yes"
setclientcookies="No">

<cfif not IsDefined("cookie.cfid")>
<cflock scope="session" type="readonly" timeout="5">
<cfcookie name="cfid" value="#session.cfid#">
<cfcookie name="cftoken" value="#session.cftoken#">
</cflock>

</cfif>


Reference: http://kb2.adobe.com/cps/179/tn_17915.html
http://www.thenetprofits.co.uk/coldfusion/faq/topic.cfm
http://www.adobe.com/devnet/coldfusion/articles/dev_security/coldfusion_security_cf8.pdf

1 comment:

  1. I want to accomplish the opposite, how do i do it?

    I want the TOKEN and ID to remain after user closes browser so that when he revisits page i can use #session.UsersInfo# and it knows his old info

    ReplyDelete