Sticky session without cookie is broken

Report · Nov 10, 2009

Hi,

I need help from you guys to confirm this is something not supported by newer version of Coldfusion any more.

Background:

This is for a mobile on-deck site of a carrier in Australia. The carrier append an unique ID (a 10 digit number) by HTTP header to each handset’s http request to the Coldfusion server. Our Coldfusion code saved this ID in a variable called request.uid. Considering that not all handsets support cookie, we turned off client cookies and instead use the following code to tell the Coldfusion server that a CFID and CFTOKEN has been passed to it in query string. No CFID and CFTOKEN were actually passed in the query string. We just used our code to pretend a CFID and CFTOKEN were passed (the actual value was not set by Coldfusion server but externally by our code) . This code had been working for years which enabled us not to depend on client cookies and CFID/CFTOKEN in query string to maintain sessions for on-deck mobile sites. However, this code started not to work after we applied a coldfusion hotfix 2 (http://kb2.adobe.com/cps/403/kb403781.html) in September on coldfusion 8.0.1. Every request will start a new session rather than stick to the same session after that.

<cfapplication name="hww_#request.site_id#" sessionmanagement="Yes"

setclientcookies="No" sessiontimeout="0.1" applicationtimeout="0.1">

Can someone please verify that the above logic is not supported by new versions of Coldfusion anymore?

Thanks.

Report · Nov 15, 2009

I would check whether the use of application and session variables has been enabled in the Administrator. Further, I would set setclientcookies to 'yes'. It will be ignored anyway if the client doesn't support cookies.

Also, instead of using 0.1 days for 2 hours 24 minutes, as you have done, I would stick to custom and use the function createTimeSpan. The session timeout could also be shorter. Here goes:

Report · Nov 17, 2009

What is a typical value for request.uid?

--

Adam

Report · Nov 17, 2009

thanks Adam, request.uid can be any string between 0000000000 and 9999999999.

- Gary

Report · Nov 17, 2009

OK that's interesting. I had found your technique would not work if the value for request.uid was not numeric, but otherwise works fine (on CF 8.0.1).

My test rig is thus:

And then I hit another page in the same dir.

With any numeric value of request.uid, sessio.ts sticks. For non-numerics, it's ignored and CF creates its own CFID/CFTOKEN.

Are you sure about your UID values?

--

Adam

Report · Nov 17, 2009

Yes, I am sure the UID is numeric. All UID's are saved in our database anyway.

Have you tried to clear your browser cookie and change sessionmanagement="No". When I tried your code this way, session did not stick.

Report · Nov 17, 2009

Yep, cleared cookies before starting.

And if you disable session management... you're not going to get sessions. If you try to use the session scope you will get an error (and rightfully so).

--

Adam

Adobe Community

Sticky session without cookie is broken