6 Replies Latest reply on Nov 17, 2009 5:15 PM by Adam Cameron.

    Sticky session without cookie is broken

    garyheAu

      Hi,

       

      I need help from you guys to confirm this is something not supported by newer version of Coldfusion any more.

       

      Background:

       

      This is for a mobile on-deck site of a carrier in Australia. The carrier append an unique ID (a 10 digit number) by HTTP header to each handset’s http request to the Coldfusion server. Our Coldfusion code saved this ID in a variable called request.uid. Considering that not all handsets support cookie, we turned off client cookies and instead use the following code to tell the Coldfusion server that a CFID and CFTOKEN has been passed to it in query string. No CFID and CFTOKEN were actually passed in the query string. We just used our code to pretend a CFID and CFTOKEN were passed (the actual value was not set by Coldfusion server but externally by our code) . This code had been working for years which enabled us not to depend on client cookies and CFID/CFTOKEN in query string to maintain sessions for on-deck mobile sites. However, this code started not to work after we applied a coldfusion hotfix 2 (http://kb2.adobe.com/cps/403/kb403781.html) in September on coldfusion 8.0.1. Every request will start a new session rather than stick to the same session after that.

       

      <cfset url.cfid = "#request.uid#">

      <cfset url.cftoken = 0>

      <cfapplication name="hww_#request.site_id#" sessionmanagement="Yes"

                      setclientcookies="No" sessiontimeout="0.1" applicationtimeout="0.1">

       

      Can someone please verify that the above logic is not supported by new versions of Coldfusion anymore?

       

      Thanks.

        • 1. Re: Sticky session without cookie is broken
          BKBK Adobe Community Professional & MVP

          I would check whether the use of application and session variables has been enabled in the Administrator. Further, I would set setclientcookies to 'yes'. It will be ignored anyway if the client doesn't support cookies.

           

          Also, instead of using 0.1 days for 2 hours 24 minutes, as you have done, I would stick to custom and use the function createTimeSpan. The session timeout could also be shorter. Here goes:

           


          <cfset url.cfid = "#request.uid#">
          <cfset url.cftoken = 0>
          <cfapplication name="hww_#request.site_id#"
              sessionmanagement="Yes"
              setclientcookies="yes"
              sessiontimeout="#createTimeSpan(0,0,20,0)#"
              applicationtimeout="#createTimeSpan(0,2,24,0)#">

          • 2. Re: Sticky session without cookie is broken
            Adam Cameron. Level 5

            What is a typical value for request.uid?

             

            --

            Adam

            • 3. Re: Sticky session without cookie is broken
              garyheAu Level 1

              thanks Adam, request.uid can be any string between 0000000000 and 9999999999.

               

              - Gary

              • 4. Re: Sticky session without cookie is broken
                Adam Cameron. Level 5

                OK that's interesting.  I had found your technique would not work if the value for request.uid was not numeric, but otherwise works fine (on CF 8.0.1).

                 

                My test rig is thus:

                 

                <!--- Application.cfm --->

                <cfset request.uid = "9999999999">
                <cfset request.site_id = "fakeIdToken">

                 


                <cfset url.cfid = "#request.uid#">
                <cfset url.cftoken = 0>
                <cfapplication name="hww_#request.site_id#"
                    sessionmanagement="Yes"
                    setclientcookies="yes"
                    sessiontimeout="#createTimeSpan(0,0,20,0)#"
                    applicationtimeout="#createTimeSpan(0,2,24,0)#">

                 

                <cfparam name="session.ts" default="#now()#">

                 

                <cfdump var="#url#" label="url">
                <cfdump var="#request#" label="request">
                <cfdump var="#session#" label="session">
                <cfdump var="#CGI#" label="CGI">  

                 

                And then I hit another page in the same dir.

                 

                With any numeric value of request.uid, sessio.ts sticks.  For non-numerics, it's ignored and CF creates its own CFID/CFTOKEN.

                 

                Are you sure about your UID values?

                 

                --

                Adam

                • 5. Re: Sticky session without cookie is broken
                  garyheAu Level 1

                  Yes, I am sure the UID is numeric. All UID's are saved in our database anyway.

                   

                  Have you tried to clear your browser cookie and change  sessionmanagement="No".  When I tried your code this way, session did not stick.

                  • 6. Re: Sticky session without cookie is broken
                    Adam Cameron. Level 5

                    Yep, cleared cookies before starting.

                     

                    And if you disable session management... you're not going to get sessions.  If you try to use the session scope you will get an error (and rightfully so).

                     

                    --

                    Adam