Skip navigation
Currently Being Moderated

Tracking the CFTOKEN

Dec 11, 2011 5:51 AM

Hello,

 

How do I track the CFTOKEN of a logged in user through out the whole site.

I have seen cases where the CFTOKEN is passed through as a FORM submit from page to page.

Is this a proper way to track the CFTOKEN?

 

Thanks

 
Replies
  • Currently Being Moderated
    Dec 11, 2011 6:36 AM   in reply to umuayo

    Yes, that is one way to track session tokens, of which CFTOKEN is one. But I can think of a more convenient way.

     

    Enable application and session variables in the ColdFusion Administrator. If you're using Application.cfm, apply something like

     

    <cfapplication applicationTimeout="#createTimespan(1,0,0,0)#" sessionTimeout="#createTimespan(0,0,20,0)#" sessionManagement="yes" loginStorage="session">

     

    If using Application.cfc, apply

     

    <cfset this.applicationTimeout="#createTimespan(1,0,0,0)#">

    <cfset this.sessionTimeout="#createTimespan(0,0,20,0)#">

    <cfset this.sessionManagement="yes">

    <cfset this.loginStorage="session">

     

    Then, if you use <cflogin> and <cfloginuser> to log the user in, ColdFusion will automatically maintain the user's CFID and CFToken as the user navigates from page to page, until the user logs out or until his session expires.

     
    |
    Mark as:
  • Currently Being Moderated
    Dec 11, 2011 7:28 AM   in reply to umuayo

    How then does the site log the user in?

     
    |
    Mark as:
  • Currently Being Moderated
    Dec 11, 2011 8:11 AM   in reply to umuayo

    Do you have session management enabled?  If so, the CFToken is in the user's session and is already being tracked. The CFID and CFToken cookies are already passed on each request.

     

    If you don't have session management enabled, why not?

     

    Passing tokens on every request is a GINORMOUS PITA. You don't want to have to do that.

     

    Jason

     
    |
    Mark as:
  • Currently Being Moderated
    Dec 11, 2011 8:53 AM   in reply to 12Robots

    12Robots wrote:

     

    Passing tokens on every request is a GINORMOUS PITA.

    Let alone tying the tokens with authentication.

     
    |
    Mark as:
  • Currently Being Moderated
    Dec 12, 2011 8:56 PM   in reply to umuayo

    I think it sounds like he wants a new session for each browser/tab etc.

     
    |
    Mark as:
  • Currently Being Moderated
    Dec 12, 2011 9:45 PM   in reply to parkerst

    In my personal opinion, that is madness.

     
    |
    Mark as:
  • Currently Being Moderated
    Dec 12, 2011 10:02 PM   in reply to 12Robots

    Agree, I've only ever seen real justification for this once, in my entire career.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points