This content has been marked as final. Show 2 replies
I have also noticed that my cfid and cftoken cookies are set to expire Sat, 16 Jan 2038 15:55:44 GMT. So it looks like some kind of default of 30 years...any thoughts?
You are talking about two separate things. The first is cookies. I will come to that later.
The second is the 10 days. It is a timeout that is set by default by Coldfusion. It is the time after which Coldfusion begins to purge stored client variables from the place where you chose to store them. The default store for client variables is the registry. You may choose as alternatives a database (that you yourself have to create) or cookie.
The default timeouts, in days, are 90, 90, 10, respectively, for registry, database, cookie. This is where the 'Purge Interval' setting in the Administrator comes into play. The default value of the purge-interval is 1 hour 7 minutes. This means, for example, that, after 10 days of inactivity, Coldfusion will delete client variables stored as cookies every 1 hour 7 minutes. Also, after 90 days of inactivity, Coldfusion will delete client variables stored in the registry every 1 hour 7 minutes.
I can think of two reasons why the design is like this. First, it is up to Coldfusion to delete client variables, not you. That is why the timeout setting is hidden from view. Secondly, the purge process uses much memory, and so shouldn't occur often or for long periods.
There is an explanation for the 30 years. It means that the expires attribute of the cfcookie tag has the value 'never'. See the documentation on cfcookie. The 30 years applies to all never-expires cookies that Coldfusion sets, whether or not they are client variables.
If you want control of the client variable cookies then you have to prevent Coldfusion from setting them automatically. To do so, set clientmanagement="yes" and setclientcookies="no" in the cfapplication tag (if you're using Application.cfm) or this.clientmanagement="yes" and this.setclientcookies="no"(if you're using Application.cfc). Then set the cookies manually, as follows, depending on your needs
1) session-only cookie (will expire when client closes browser)
<cfcookie name="cfid" value="#client.cfid#">
<cfcookie name="cftoken" value="#client.cftoken#">
2) cookie that will expire after a 7 days
<cfcookie name="cfid" value="#client.cfid#" expires="7">
<cfcookie name="cftoken" value="#client.cftoken#" expires="7">
Back to the timeout values earlier. I will now show you where the settings are. Open the following file in a text editor:
However, I should strongly advise you to leave the XML file intact. There is a good reason why the Coldfusion engine uses the 10-day and 90-day timeouts, and why it hides the settings from view.