Maintaining Client Identity - MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX Develop Manual

Maintaining client identity

Because the web is a stateless system, client management requires some method for maintaining
knowledge of the client between requests. Normally you do this using cookies, but you can also
do it by passing information between application pages. The following sections describe how
ColdFusion maintains client identity in a variety of configurations and environments, and discuss
issues that can arise with client state management.
About client identifiers
To use client and session variables, ColdFusion must be able to identify the client. It normally
does so by setting the following two cookie values on the client's system:
•
CFID A sequential client identifier
•
CFToken A random-number client security token
These cookies uniquely identify the client to ColdFusion, which also maintains copies of the
variables as part of the Session and Client scopes. You can configure your application so that it
does not use client cookies, but in this case, you must pass these variables to all the pages that your
application calls. For more information about maintaining client and session information without
using cookies, see
You can configure ColdFusion MX to use J2EE servlet session management instead of
ColdFusion session management for session variables. This method of session management does
not use and
CFID
cookie. For more information on using J2EE session management, see
session management" on page
Using client and session variables without cookies
Often, users disable cookies in their browsers. In this case, ColdFusion cannot maintain the client
state automatically. You can use client or session variables without using cookies, by passing the
client identification information between application pages. However, this technique has
significant limitations, as follows:
•
Client variables are effectively the same as session variables, except that they leave unusable
data in the client data store.
Because the client's system does not retain any identification information, the next time the
user logs on, ColdFusion cannot identify the user with the previous client and must create a
new client ID for the user. Any information about the user from a previous session is not
available, but remains in client data storage until ColdFusion deletes it. If you clear the Purge
Data for Clients that Remain Unvisited option in the ColdFusion MX Administrator,
ColdFusion never deletes this data.
Therefore, do not use client variables, if you do not require users to enable cookies. To retain
client information without cookies, require users to login with a unique ID. You can then save
user-specific information in a database with the user's ID as a key.
•
ColdFusion creates a new session each time the user requests a page directly in the browser,
because the new request contains no state information to indicate the session or client.
Note: You can prevent ColdFusion from sending client information to the browser as cookies by
setting the
setClientCookies
"Using client and session variables without cookies" on page
values, but does use a client-side
CFToken
327.
attribute of the
jsessionid
cfapplication tag to No.
319.
session management
"ColdFusion and J2EE
Managing the client state 319