session.cfid/cftoken

Report · Jun 14, 2007

I am a developer on a government intranet. I have developed serveral application that use cgi variables to get the user's login ID and other information. I then use that information to check against a database to determine if the user has access to the application and at what level. I set session variables that keeps that information.

Well in the past month or so some users can't get past the initial page. It recognizes and authenticates them. But when they click on a link to go to another page the application just kicks them back to the start page. I have this at the beginning of every page to keep user's from trying to copy and past URL's.

<cfif NOT isDefined("session.index")>
<cflocation url="index.cfm">
</cfif>

So this session.index is being erased which sends them back to index.cfm and I don't know why.

Another developer found a work around which requires addition #session.URLToken# to every hyperlink or form action.

I thought that it might be a problem with user's not being able to accept cookies. But one of the user's that gets kicked out of the application has a cookie from the application on their machine.

Any ideas??? I am trying to avoid adding #session.URLToken# to dozens of links in dozens of pages in dozens of applications

Report · Jun 14, 2007

It sounds to me like you are losing the session which causes another session to immediately start when you hit the next page with a brand new cfid and cftoken. You can verify this by outputting the cfid and cftoken on both the login page and the next page - if they are not the same then this is the case. And yes, you can get around this by passing the id and token although it's not the best solution - it would be much better to find out why you're losing the session in the first place. If you do decide to pass the id and token, keep in mind you will need to pass them on every page of the site (which is ok for a small site, but a huge pain on something a bit larger, as well as a possible security concern).

I encountered this exact situation for a couple of our apps that actually need to run inside a frameset of another large portal app that we don't host and have no control over. No matter what we tried, the session was always being lost when running in the portal frameset. We ended up passing the id and token from page to page as we found no other solution. Fortunately these were very small sites with only a few pages.

You have the choice to either pass the id and token in hidden fields in forms or in the url querystring. Hidden fields would be a little better allowing post submissions rather than get imho. In addition, the <cflocation...> tag offers the AddToken="Yes/No" attribute which if set to "Yes" will pass the token in the url.

Actually, we had a similar but totally unrelated issue on one of our very old servers a few years ago. That problem stemmed from the fact that the server had an illiegal host name (the name had an underscore character [.e. my_host.mydomain.com] which is technically illegal for a host name). Unfortunately, since it isn't that easy to change the host name once the server has been set up the it folks instead chose to create multiple dns entries with aliases (don't ask me exactly how 'cause I don't quite know) to get around this - all I know is that it was really a mess for a while. I remember having lots of issues with losing sessions on taht server. Fortunately it is now ancient history (thankfully).

Adobe Community

session.cfid/cftoken