Test browser accepting cookie

If your server is set up he standard way (recommended), you can merely check for the existance of a standard cookie.
"CFTOKEN" for example.

Otherwise, the detection process is outlined here:
http://www.coldfusioncookbook.com/entry/91/How-can-I-detect-if-the-browser-accepts-cookies? .

Finally, if you are using cookies for Client var storage, keep in mind that the user can see and alter anything that you store on his machine (may or may not be a problem).

For sensitive client var storage, use the databasemechanism. (NEVER, EVER, use the registry!)

quote:

---

Originally posted by: doug777
Thanks for all replies.

I intend to use database storage for the Client variables and thanks for the warning about the registry. Why is this set as the default - it sounds a horrible solution even to me?

Am I right in thinking that my index page (which gets hit only once in any session and contains the code to find out which database the client belongs to and then sets the necessary variables) should be where I set clientManagement on and not in the Application page as all the books suggest?

If I then check to see if CFToken has been set in this index page, will it actually have been set by that time or not?

Doug

---

A lot of people have rightfully said that the registry should not even be an option and registry abuse has contributed to CF's reputation as unstable.
Adobe even tells you not to use it. So why it is the default?! ... ...

The cookie check and all client and session settings should be wherever you have your cfapplication tag. It is a good idea to have all of this in Application.cfm and a better idea to use Application.cfc.

Yes, 95% of the time, the CFToken or CFID will be set by the time your code fires (If cookies are enabled).
In any case:
1) Check for CFToken. If present use cfcookie with confidence and process the page.
If not present, use the cookie check scheme outlined by Massimo (url above).

Yes, the code would get triggered with every request.
But then again lots of code, like cfapplication, etc. gets triggered by every request.

If you use the methods suggested, the cookie check adds no detectable extra time (unless cookies are disabled).

Also, I won't ask how you restrict the index page to once per session but consider:

The user can (and power users often do) delete or turn off cookies while the session is still valid.
(Hackers and script-kiddie bots will also change cookies in an attempt to hijack a session.)

You don't have to put all the persistent scope checking/init in the same place -- it's just a best practice.

You're welcome!

Now that I've made you sufficiently suspicious ;-),
please remember that cookies can still be useful -- but just to improve the user experience (unless you are one of the bad guys, then they get even more useful ).