CFML Sessions For Dummies
•
1 like•834 views
Sessions. We all hear about them. We probably are using them. But do you know how they work? If you are anything like me, when you started programming you just accepted sessions as one of the many "black boxes" of programming. Then, one day, you need to debug a session issue. Or maybe you need your session to span multiple servers set up behind a load balancer. Do you know your options? Better yet, do you know your basics? This is a beginner session tackling the very basics of sessions in CFML including: What is a session? What is the difference between a session and cookies? What should I put in a session? How does ColdFusion know which session is mine? What is the difference between a ColdFusion and J2EE session? How can I see what sessions are currently running? How do I manage sessions across multiple servers? What are some common session gotchas? And more...
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to CFML Sessions For Dummies
Similar to CFML Sessions For Dummies (20)
More from ColdFusionConference
More from ColdFusionConference (20)
Recently uploaded
Recently uploaded (20)
CFML Sessions For Dummies
- 2. Whatthistalkisn't ! · Live coding · Outlining best practices · For people who use sessions and either already know or don't care that much how they work
- 3. Whatthistalkis ! · Theory — definitions and examples · Understanding the what and the why rather than the when would I use this · For people who use sessions and don't know how they work
- 4. OtherSessionsRightNow · PostCSS: A Dumb Name For An Awesome Thing Room 238 · SQL Server Tips For Everyday Programmers Room 334 · Crash Course In Ionic & AngularJS Auditorium
- 5. WhoamI? EricPeterson ! Utah " O.C. Tanner # 1 wife, 1 kid
- 7. Disclaimer: Out of the box setup (Other setups later)
- 8. Whatisasession? · Data stored in memory on the server · Client variables used to access the data on the server
- 10. Datastoredinmemoryontheserver · Data is lost when not accessed within a time-out period · Data is available only to a single client and application · Any CFML data type can be stored
- 11. Datastoredinmemoryontheserver Data is accessed by using a combination of a CFID and a CFTOKEN · CFID: A sequential client identifier · CFTOKEN: A random client security token
- 13. Andanydatayouaddyourself! session.simpleValue = 5; session.complexValue = [ { id = 1, permissions = [/* ... */] } ]; session.user = new User(/* ... */);
- 14. OtherFacts · CFID and CFTOKEN are reused by the client when starting new sessions (if possible) · Someone with your CFID and CFTOKEN could access your session · For this, reason it's bad to pass it in the query string. Use Client Variables instead
- 18. Clientvariablesusedtoaccessthedataontheserver If you didn't use cookies, you'd have to pass these values in the url or form every time Which makes them very easy to steal and hijack a session
- 19. Sodon'tdothat! !
- 21. EnablingSessionsinyourCFMLApplications component { // Required this.name = 'MyAwesomeApp'; this.sessionManagement = true; // Optional: default timeout is 20 minutes this.sessionTimeout = createTimeSpan(0, 0, 45, 0); }
- 22. SessionLifecycle
- 25. DuringaSession
- 26. ReadingandWritingtotheSession // write values to the session session.favorites = [1, 45, 67, 109]; // read values from the session local.favorites = session.favorites; // though, it is smart to check that // the value exists first. if (structKeyExists(session, 'favorites')) { local.favorites = session.favorites; } else { local.favorites = []; }
- 27. SessionLocks
- 28. SessionLocks function getProductCount() { lock scope="session" type="read" timeout="2" throwontimeout="true" { return session.items; } } function incrementProductCount(count) { lock scope="session" type="exclusive" timeout="2" throwontimeout="true" { session.items += count; } }
- 30. SessionRotate() Available in ACF10+ and Lucee 4.5+ 1. Invalidates the current session 2. Creates a new session 3. Migrates the data from the old to the new 4. Overwrites the old cookies with the new
- 31. "BestPractices" · Keep your session scope small · Only store lookup values in your session scope (like userId) · Especially avoid storing values shared between users in the session scope · SessionRotate() a!er a successful login1 1 See Learn CF in a Week for more session security tips
- 32. EndingaSession
- 33. Whatdoesnotendasession? · Logging out · Closing the browser · structClear(session)
- 34. Whatdoesendasession? · Session Timeout · sessionInvalidate() (ACF10+ and Lucee 4.5+)
- 35. SessionLifecycleMethods function onSessionStart() { // set defaults for session values // you want to make sure are available session.sessionStartedAt = Now(); } function onSessionEnd(applicationScope, sessionScope) { if (sessionScope.isShopping) { // clean up any long standing objects // Log any important messages applicationScope.shoppingInsightLogger.info( 'User timed out while shopping at #Now()#' ); } }
- 36. J2EESessions
- 37. J2EESessions · Uses the servlet (e.g. Tomcat) for session management · Share session information between ColdFusion and other servlet applications
- 38. J2EESessions · Does not reuse the session identifiers · Generates a new identifier for each session, reducing the impact of the the! of the token · Can terminate the session manually getPageContext().getSession().invalidate();
- 41. Firstoff, Why?
- 42. ServerClusters
- 43. ServerClusters If your session information is being stored in the memory of a server, then only that one server can handle all your requests. In other words, you can't scale.
- 44. Whatareouroptions? · Don't use the session scope ! · Store the session scope somewhere else "
- 46. Doityourself! function onRequestStart() { var urlToken = 'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); StructAppend( session, sessionClient.get(id = urlToken, deserialize = true), true ); } function onRequestEnd() { var urlToken = 'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); sessionClient.set(id = urlToken, session ); }
- 47. OneEasyWay: SessionStorages (Requires ColdFusion 2016+ or Lucee 4.5+)
- 48. Done
- 49. AnotherEasyWay: J2EESessions Sticky sessions at the servlet level
- 50. Done
- 51. Extras
- 52. First,SessionFixation An attacker provides the session identifiers in order to try and know them <a href="http://a-legitimate-site.com/?CFID=b1c8-30f3469ba7f7&CFTOKEN=2"> Click here for free stuff! </a>
- 53. HowthiscancauseSessionLoss More than one CFML application on the same domain2 2 Pete Freitag, Session Loss and Session Fixation in ColdFusion, March 01, 2013
- 54. HTTPOnlyCookies · These cookies are only available over HTTP connections, NOT Javascript
- 55. HTTPOnlyCookies Set once for the entire application // CF 10+ & Lucee 4.5+ this.sessioncookie.httponly = true; # Java JVM args (CF 9.0.1+) -Dcoldfusion.sessioncookie.httponly=true
- 56. HTTPOnlyCookies OR set them manually <!-- CF 9+ & Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly" />
- 57. SSL Enable the secure flag on your cookies // CF 10+ & Lucee 4.5+ this.sessioncookie.secure = true; <!-- CF 9+ & Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" secure="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly;secure" />
- 58. Turningoffclientmanagement If you are setting your own cookies, remember to turn off client management // Application.cfc component { this.clientmanagement = false; }
- 59. Questions !
- 60. Other talks at dev.Objective() LiveTestingaLegacyApp Thursday 1:45 PM to 2:45 PM