Session question(s)

Report · Jan 30, 2013

I have session management enabled on my website because if I start getting a lot of comments on my blog posts and photos, I'll probably build in logins/accounts/etc so I don't have to approve every post (my posts are moderated because any CAPTCHA that stops them stops the humans first).

I have the following in my Application.cfc file:

<cfscript>
this.name = "cwcms";
this.sessionManagement = "Yes";
this.sessionTimeout = CreateTimeSpan(1,0,0,0);
this.setClientCookies = "No";
this.loginstorage = "session";
</cfscript>

I'm sure some of that will have to change if I implement accounts/login, but my question is this:

When I load any page on my website, I see something like this on the end of the URL:

http://mydomain.com/gallery/#.UQnJyZFDvx8

I'm assuming that's the session ID, correct? I assume this because if I remove the above code from my Application.cfc file, that string vanishes.

The question is, could this be interfering with the <cffileupload> tag? If I remove that code, my <cffileupload> box vanishes, but even with it, any file I upload gives a 401 error (but only on my hosted site (CF9) and not locally (CF10)).

I'm using this for my <cffileupload>:

<cfset session.storage = replace(createUUID(), "-","_","all")>
<form name="uploads" method="post" action="manageuploads.cfm">
<p><cffileupload
            width="640"
            extensionfilter="jpg,jpeg,png,JPG"
            url="photoprocess.cfm?#urlEncodedFormat(session.urltoken)#"
            name="photos"
            bgcolor="808080"
            wmode="transparent"
            maxfileselect="25"
            /></p>
<p><input type="submit" name="done" value="Next" /></p>
</form>

Should I be pulling a different value for that session.storage variable?

Report · Jan 31, 2013

I think you should reduce the timeout to a value much less than 1 day and maintain sessions using cookies. Something like this:

this.sessionTimeout = CreateTimeSpan(0,0,20,0);

this.setClientCookies = "yes";

Report · Jan 31, 2013

@BKBK: Hmm, interesting. With client cookies enabled, I still have that wierd string at the end of my URLs. Maybe my session from yesterday is still alive?

So, with sessionTimeout set to 20 minutes, if I wanted someone who had logged in yesterday to still be logged in today, instead of setting a 1 day session, I'd write something that read the cookie on their machine, and have a variable or something that decided if enough time had passed to require them to log in again, right? I'd probably have to change loginstorage from session to cookies.

I don't get to do much of this at work since we're not allowed to have logins or accounts (they're handled by a separate machine altogether) so I've had no opportunity to practice any of this until now (which is why I decided to redo my website in CF in the first place).

@WolfShade: Yeah, that's really weird. I use <cfif StructKeyExists(FORM,"submit_button_name")> on my form processing pages as a trigger, and sometimes it just doesn't trigger at all, so I end up testing for null instead.

Report · Jan 31, 2013

Regarding, "if I wanted someone who had logged in yesterday to still be logged in today",

Then you are not security conscious.

Report · Jan 31, 2013

Dan Bracuk wrote:
Then you are not security conscious.

Well then neither is Adobe, because my login here persists for ages before I have to log in again.

Report · Feb 01, 2013

So does mine. That's because I checked the box when I logged in. Does your application have that feature?

Report · Feb 01, 2013

My application doesn't have any features yet relating to logins. I'm asking these questions so that I can understand as much as possible before I even begin to build the login system. I may not even do a login system at all if I only get a few blog or photo comments per month, but I still want to understand how things work, in case I decide to.

I think it would be nicer for users to be able to log in and leave comments on several photos, rather than have to do a captcha or whatever each time, then wait til I log in on my side and approve the posts before they appear.

Report · Feb 01, 2013

Even if you don't get that many users/comments, create the login. If you don't, you will be (eventually) discovered by spammers, and then you will have hundreds of spammy comments, every day. Not just spam, but also malicious links to websites that install virus or malware.

^_^

Report · Feb 01, 2013

Oh, I've already gotten a few spam blog comments, but since all comments are moderated, I just deleted them. I've had a website at this url since 1999, and a blog since probably 2004, so I'm actually surprised there hasn't been more spam, unless the CF captcha is working better than I think it is.

I've noticed that setting the clientcookies to true seems to have gotten rid of the random character sequence that was appended to the URL. Now I have nice clean URLs again

Report · Jan 31, 2013

I agree with BKBK; we've had issues when session timeout is set to 6 hours. Something will "empty" the variables (we still haven't tracked that down, yet) but leave them in place. So if we check StructKeyExists(session,"foo") or isDefined(session.foo), they are still there, but the data is gone.

^_^

Adobe Community

Session question(s)