1 Maryland ColdFusion User Group Session Management 101 11 December 2001 Michael Schuler [email protected].

1

Maryland ColdFusion User Group

Session Management 101

11 December 2001Michael Schuler

[email protected]

2

Agenda

Addressing the Web’s Statelessness

The Application Framework

Session Variables

Locking Shared Variables

3

The Web's Statelessness

You will need to persist information across pages in order to: Validate user authentication at login, and

maintain that authentication throughout the session

Personalize the user’s experience Maintain information about the user’s session -

for example, a shopping cart

4

The Web's Statelessness

HTTP creates a new connection for every page request Variables and flags set during one request are

not available for the next request

Work around this problem by using:   Cookies Application framework Session variables

5

Securing Applications

You need to: Authenticate them on first access by giving them

a login page Allow access to an application for a

predetermined session time or time without activity

Secure each page to be sure they cannot bookmark a page and circumvent the login

6

Security Components

Secure your Web pages by using the following security components: Login page and login action page to authenticate

users against a database table of users Application Framework to test for login on each

page in the application Session variables to persist a logged in flag for

each page in the application

7

Cookie Types

There are two types of cookies you can create: Persistent cookies Session cookies

Both can be created using the <CFCOOKIE> tag

Differentiated by the use of the EXPIRES attribute.

8

Persistent vs. Sesssion Cookies

Persistent Cookies: EXPIRES attribute determines when the cookie

gets deleted from the browser machine: EXPIRES = "n" EXPIRES = "date" EXPIRES = "never EXPIRES = "now"

9

Session Cookies

Created by omitting the EXPIRES attribute from the <CFCOOKIE> tag

Only valid until all the browser sessions on that client machine are closed

Use this value when you only want to track the user for the current session

Destroyed when the browser sessions close, and are never stored in a file on the browser machine

10

Persistent State Variables

Variables that allow you to store information once, and then share it in an application, a session or the entire server. Server Application Session Client Request

11

Session Variables

Session variables are: Stored in the Web server's memory Lost when the Web server is restarted Used for single site visit

In order to use Session variables, you will need to:1.Check the ColdFusion Administrator for Session

settings

2.Enable Session variables within your Application.cfm file

3.Set Session variables in your ColdFusion pages

12

ColdFusion Administrator Settings

Session variables must be enabled before use.

Check the following settings in the ColdFusion Administrator to:

1. Make sure that Session variables have not been disabled

2. Set/reset the Session variables default and maximum timeout settings

13

ColdFusion Administrator Settings11-21

Found in the ColdFusion Administrator in the Server Settings section under Memory Variables

14

Enabling Session Variables

Enable session variables in the Application.cfm file:<CFAPPLICATION name="CoffeeValley" sessionmanagement="Yes"sessiontimeout=#CreateTimeSpan("0", ”1", “0”, "0")#>

Enables session variables and sets expiration to 1 hour after last browser activity for each session

The maximum timeout default in the ColdFusion Administrator is 20 minutes. Change this value in order for the above tag to allow timeout at 1 hour.

15

Session Variable Process

1. The first time a browser requests a page from ColdFusion, it will encounter the <CFAPPLICATION> tag. This is always placed in an Application.cfm file.

2. ColdFusion will generate a unique identifier for the browser. The unique ID is made up of two values: CFID and CFTOKEN.

3. Two cookies are created and sent to the browser: CFID and CFTOKEN.

4. These two values are also stored in the Web server’s memory within the application. This is the link between the Web server and the browser session.

16

Session Variable Process

17

Creating Session Variables

Session variables are stored in server memory with the matching CFID and CFTOKEN values

Each session will have a separate set of variables

Created using the <CFSET> tag

The Session. prefix is required<CFSET Session.BGColor="red">

18

Creating Session Variables

19

Disabled Cookies

If a browser has disabled the receipt of cookies, your ColdFusion application will need to pass the client information for every page request

Append CFID and CFTOKEN on URL Pass CFID and CFTOKEN in hidden form controls Use ADDTOKEN=“Yes” to CFLOCATION tag

20

Demonstration

Using Session Variables to Secure All Application Pages

21

Locking Shared Variables

Application and session (as well as server) scope variables are shared These variables can be set and retrieved at the same time Setting/getting values from the same place in memory at

the same time can cause corruption, and can lead to system failure

Session variables can collide if: The user hits Refresh in their browser while it's already

processing a Session variable A Session variable is used within a frameset

Every read and write of shared memory values requires the use of the <CFLOCK> tag to ensure memory integrity

22

<CFLOCK>

Locks variables or code for the duration of the tag

Two types of locks: Exclusive lock for variable setting Read-only lock for variable getting

<CFLOCK TIMEOUT = "timeout in seconds " SCOPE = "Application" or "Server" or "Session" THROWONTIMEOUT = "Yes" or "No" TYPE = "readOnly/Exclusive ">

<!--- variable set or get --->

</CFLOCK>

23

Setting Variables

All sets of shared memory variables must be locked exclusively

An exclusive lock single-threads access to the CFML constructs in its body Implies that the body of the tag can be executed by at

most one request at a time No other requests can start executing inside the tag

while a request has an exclusive lock. ColdFusion issues exclusive locks on a first-come, first-

served basis

Use the <CFLOCK> tag around all writes to server, application and session variables.

<CFLOCK SCOPE="SESSION" TYPE="EXCLUSIVE" TIMEOUT="10"> <CFSET Session.UserName="#FORM.UserName#"></CFLOCK>

24

Getting Variables

A read-only lock allows multiple requests to concurrently access the CFML constructs inside its body

Should be used only when the shared data is read only and not modified

If another request already has an exclusive lock on the shared data, the request waits for the exclusive lock to be released<CFLOCK SCOPE="APPLICATION" TYPE="READONLY" TIMEOUT="10"> <CFOUTPUT>

Welcome #Session.UserName#!

</CFOUTPUT></CFLOCK>

25

Demonstration

Locking Session Variables

26

Questions

?