9 Replies Latest reply on Feb 1, 2013 10:33 AM by BreakawayPaul

    Session question(s)

    BreakawayPaul Level 2

      I have session management enabled on my website because if I start getting a lot of comments on my blog posts and photos, I'll probably build in logins/accounts/etc so I don't have to approve every post (my posts are moderated because any CAPTCHA that stops them stops the humans first).

       

      I have the following in my Application.cfc file:

      <cfscript>

      this.name = "cwcms";

      this.sessionManagement = "Yes";

      this.sessionTimeout = CreateTimeSpan(1,0,0,0);

      this.setClientCookies = "No";

      this.loginstorage = "session";

      </cfscript>

       

      I'm sure some of that will have to change if I implement accounts/login, but my question is this:

       

      When I load any page on my website, I see something like this on the end of the URL:

       

      http://mydomain.com/gallery/#.UQnJyZFDvx8

       

      I'm assuming that's the session ID, correct?  I assume this because if I remove the above code from my Application.cfc file, that string vanishes.

       

      The question is, could this be interfering with the <cffileupload> tag?  If I remove that code, my <cffileupload> box vanishes, but even with it, any file I upload gives a 401 error (but only on my hosted site (CF9) and not locally (CF10)).

       

      I'm using this for my <cffileupload>:

       

      <cfset session.storage = replace(createUUID(), "-","_","all")>

      <form name="uploads" method="post" action="manageuploads.cfm">

      <p><cffileupload

                  width="640"

                  extensionfilter="jpg,jpeg,png,JPG"

                  url="photoprocess.cfm?#urlEncodedFormat(session.urltoken)#"

                  name="photos"

                  bgcolor="808080"

                  wmode="transparent"

                  maxfileselect="25"

                  /></p>

      <p><input type="submit" name="done" value="Next" /></p>

      </form>

       

      Should I be pulling a different value for that session.storage variable?

        • 1. Re: Session question(s)
          BKBK Adobe Community Professional & MVP

          I think you should reduce the timeout to a value much less than 1 day and maintain sessions using cookies. Something like this:

           

          this.sessionTimeout = CreateTimeSpan(0,0,20,0);

          this.setClientCookies = "yes";

          1 person found this helpful
          • 2. Re: Session question(s)
            WolfShade Level 4

            I agree with BKBK; we've had issues when session timeout is set to 6 hours.  Something will "empty" the variables (we still haven't tracked that down, yet) but leave them in place.  So if we check StructKeyExists(session,"foo") or isDefined(session.foo), they are still there, but the data is gone.

             

            ^_^

            • 3. Re: Session question(s)
              BreakawayPaul Level 2

              @BKBK: Hmm, interesting.  With client cookies enabled, I still have that wierd string at the end of my URLs.  Maybe my session from yesterday is still alive?

               

              So, with sessionTimeout set to 20 minutes, if I wanted someone who had logged in yesterday to still be logged in today, instead of setting a 1 day session, I'd write something that read the cookie on their machine, and have a variable or something that decided if enough time had passed to require them to log in again, right?  I'd probably have to change loginstorage from session to cookies.

               

              I don't get to do much of this at work since we're not allowed to have logins or accounts (they're handled by a separate machine altogether) so I've had no opportunity to practice any of this until now (which is why I decided to redo my website in CF in the first place).

               

               

              @WolfShade: Yeah, that's really weird.  I use <cfif StructKeyExists(FORM,"submit_button_name")> on my form processing pages as a trigger, and sometimes it just doesn't trigger at all, so I end up testing for null instead. 

              • 4. Re: Session question(s)
                Dan Bracuk Level 5

                Regarding, "if I wanted someone who had logged in yesterday to still be logged in today", 

                 

                Then you are not security conscious.

                • 5. Re: Session question(s)
                  BreakawayPaul Level 2

                  Dan Bracuk wrote:

                   

                  Then you are not security conscious.

                   

                  Well then neither is Adobe, because my login here persists for ages before I have to log in again.

                  • 6. Re: Session question(s)
                    Dan Bracuk Level 5

                    So does mine.  That's because I checked the box when I logged in.  Does your application have that feature?

                    • 7. Re: Session question(s)
                      BreakawayPaul Level 2

                      My application doesn't have any features yet relating to logins.  I'm asking these questions so that I can understand as much as possible before I even begin to build the login system.  I may not even do a login system at all if I only get a few blog or photo comments per month, but I still want to understand how things work, in case I decide to. 

                       

                      I think it would be nicer for users to be able to log in and leave comments on several photos, rather than have to do a captcha or whatever each time, then wait til I log in on my side and approve the posts before they appear.

                      • 8. Re: Session question(s)
                        WolfShade Level 4

                        Even if you don't get that many users/comments, create the login.  If you don't, you will be (eventually) discovered by spammers, and then you will have hundreds of spammy comments, every day.  Not just spam, but also malicious links to websites that install virus or malware. 

                         

                        ^_^

                        • 9. Re: Session question(s)
                          BreakawayPaul Level 2

                          Oh, I've already gotten a few spam blog comments, but since all comments are moderated, I just deleted them.  I've had a website at this url since 1999, and a blog since probably 2004, so I'm actually surprised there hasn't been more spam, unless the CF captcha is working better than I think it is.

                           

                          I've noticed that setting the clientcookies to true seems to have gotten rid of the random character sequence that was appended to the URL.  Now I have nice clean URLs again

                          1 person found this helpful