With CFMX there are a few new features you can take advantage of in relation to session and client variable handling, namely:
- Using UUID for the CFToken value
- Using J2EE Session Variables
We all know that using session variables primarily relies on the user have enabled cookies in their browser, otherwise you need to pass CFIDE and CFTOKEN along the URL. This can be painful as you need to ensure you pass this client identity along with every request, whether it be an
With URLSessionFormat() ColdFusion automatically detects whether templates are passing the required cookie, if it isn’t then it will pass the values along the URL for you!
So with the following:
<a href="#URLSessionFormat("order.cfm?orderID=123")#">Order Page</a>
<a href="order.cfm?orderID=123&cfid;=xxxx&cftoken;=xxxxxxxx">Order Page</a>
If cookies are being accepted then CFIDE and CFTOKEN won’t be passed.
UUID for CFTOKEN value
In ColdFusion Administrator on the ‘Server settings/Settings’ page you can choose to “Use UUID for cftoken”. This guarantees a unique identifier for the token, instead of a normal 8 digit number which could be guessed by a malicious user.
J2EE Session Variables
Work the same way as CFIDE and CFTOKEN but use a JSessionID instead. One of the coolest things about jsessionid’s is that when a user closes his or her browser the session terminates because the cookie set is non-persistant, held only in the browsers memory!