I will look into using cookies. The only issue with cookies is that a user can disable them in their browser, and the core functionality will be unavailable. I also do NOT have a session timeout set. I cannot think of what else to do that would be better and for the life of me cannot think of why storing this in a session is a bad idea. I am trying to get ahead of any issues that may arise. How does the session timeout work? Does the session get refreshed when the user uses the session variable and the timeout gets restrted? Or, does it go away no mater what 30 mins after it gets created?
There is nothing wrong with storing it in a session if you are OK with prompting them for the value again if they let their session timeout.
Getting errors is, of course, not acceptable. You need to write your application so that before it tries to use the session value it checks for its existence. If it does not exist, then redirect the user to a page where they can select it again.
If you are not OK with prompting them for the value again, then you'll have to do somethign else, like set a cookie. If they have cookies disabled you will need to warn them that the application will not work with cookies disabled. Of course, sessions won't work with cookies disabled either. Frankly, I think users with cookies disabled are stupid and they are probably use to havign 80% of the internet not work for them.
There are no perfect solutions in a stateless environemnt like the web. You are not going to find a better solution than storing it in a session variable or in a cookie.
I restored the session timeout. I will follow robots advice above. I will ask for the location if the session times out. The only issue I have right now is that I want to default the location on the first time in the app. Then, if it times out, I would like to take them to a form where they can choose the location again. I just dont wnat to take them to the choose location page every time they login.
I restored the session timeout.
Aha. I am assuming you've done something like this in the application file:
<cfapplication name="myApp" applicationTimeout = "#createTimespan(1,0,0,0)#" loginStorage = "session" sessionmanagement="yes" sessiontimeout="#createtimespan(0,1,0,0)#".>
this.name = "myApp";
this.applicationTimeout = "#createTimespan(1,0,0,0)#";
this.loginStorage = "session";
this.sessionManagement = "true";
this.sessionTimeout = "#createTimeSpan(0,1,0,0)#";
You should then have, on the action page of the form which sets the location:
<cfset session.location = form.location>
Naturally, at some point down the line, your code uses the variable session.location. That is why you created it.
Just before that point, perform a test for the existence of session.location. If it doesn't exist, redirect the user to the login page.
I just dont [want] to take them to the choose location page every time they login.
You should. I do believe that that is the standard way.
User logs in. ColdFusion attributes a session to the user. You attach the user's specific variables, such as location, to the session (also possible by other means such as cookie, client, etc., but I'm only talking here about session). One user-specific variable you also attach to the session is the login.
Once the session expires, so does the user's login. There is therefore no point in ColdFusion holding on to a location for which there is no logged-in user.
If a location is specific to a user, and you want your application to remember it, then store it in the database. Again, there are alternatives here, for example, storage in a cookie.