Sessions. We all hear about them. We probably are using them. But do you know how they work? If you are anything like me, when you started programming you just accepted sessions as one of the many "black boxes" of programming. Then, one day, you need to debug a session issue. Or maybe you need your session to span multiple servers set up behind a load balancer. Do you know your options? Better yet, do you know your basics?
This is a beginner session tackling the very basics of sessions in CFML including:
What is a session?
What is the difference between a session and cookies?
What should I put in a session?
How does ColdFusion know which session is mine?
What is the difference between a ColdFusion and J2EE session?
How can I see what sessions are currently running?
How do I manage sessions across multiple servers?
What are some common session gotchas?
And more...
2. Whatthistalkisn't
!
· Live coding
· Outlining best practices
· For people who use sessions and either already
know or don't care that much how they work
3. Whatthistalkis
!
· Theory — definitions and examples
· Understanding the what and the why rather
than the when would I use this
· For people who use sessions and don't know
how they work
4. OtherSessionsRightNow
· PostCSS: A Dumb Name For An Awesome Thing
Room 238
· SQL Server Tips For Everyday Programmers
Room 334
· Crash Course In Ionic & AngularJS
Auditorium
10. Datastoredinmemoryontheserver
· Data is lost when not accessed within a time-out
period
· Data is available only to a single client and
application
· Any CFML data type can be stored
14. OtherFacts
· CFID and CFTOKEN are reused by the client
when starting new sessions (if possible)
· Someone with your CFID and CFTOKEN could
access your session
· For this, reason it's bad to pass it in the query
string. Use Client Variables instead
26. ReadingandWritingtotheSession
// write values to the session
session.favorites = [1, 45, 67, 109];
// read values from the session
local.favorites = session.favorites;
// though, it is smart to check that
// the value exists first.
if (structKeyExists(session, 'favorites')) {
local.favorites = session.favorites;
} else {
local.favorites = [];
}
30. SessionRotate()
Available in ACF10+ and Lucee 4.5+
1. Invalidates the current session
2. Creates a new session
3. Migrates the data from the old to the new
4. Overwrites the old cookies with the new
31. "BestPractices"
· Keep your session scope small
· Only store lookup values in your session scope
(like userId)
· Especially avoid storing values shared between
users in the session scope
· SessionRotate() a!er a successful login1
1
See Learn CF in a Week for more session security tips
35. SessionLifecycleMethods
function onSessionStart() {
// set defaults for session values
// you want to make sure are available
session.sessionStartedAt = Now();
}
function onSessionEnd(applicationScope, sessionScope) {
if (sessionScope.isShopping) {
// clean up any long standing objects
// Log any important messages
applicationScope.shoppingInsightLogger.info(
'User timed out while shopping at #Now()#'
);
}
}
37. J2EESessions
· Uses the servlet (e.g. Tomcat) for session
management
· Share session information between ColdFusion
and other servlet applications
38. J2EESessions
· Does not reuse the session identifiers
· Generates a new identifier for each session,
reducing the impact of the the! of the token
· Can terminate the session manually
getPageContext().getSession().invalidate();
43. ServerClusters
If your session information is being stored in the
memory of a server,
then only that one server can handle all your
requests.
In other words, you can't scale.
52. First,SessionFixation
An attacker provides the session identifiers in
order to try and know them
<a href="http://a-legitimate-site.com/?CFID=b1c8-30f3469ba7f7&CFTOKEN=2">
Click here for free stuff!
</a>
55. HTTPOnlyCookies
Set once for the entire application
// CF 10+ & Lucee 4.5+
this.sessioncookie.httponly = true;
# Java JVM args (CF 9.0.1+)
-Dcoldfusion.sessioncookie.httponly=true
56. HTTPOnlyCookies
OR set them manually
<!-- CF 9+ & Lucee 4.5+ -->
<cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" />
<!-- CF 8 and lower -->
<cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly" />
57. SSL
Enable the secure flag on your cookies
// CF 10+ & Lucee 4.5+
this.sessioncookie.secure = true;
<!-- CF 9+ & Lucee 4.5+ -->
<cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" secure="true" />
<!-- CF 8 and lower -->
<cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly;secure" />
58. Turningoffclientmanagement
If you are setting your own cookies,
remember to turn off client management
// Application.cfc
component {
this.clientmanagement = false;
}