MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX Develop Manual page 320

To use ColdFusion client or session variables without using cookies, each page must pass the
and values to any page that it calls as part of the request URL. If a page contains any
CFToken
HTML
href a=
and values in the tag URL. To use J2EE session management, you must pass the
CFToken
value in page requests. To use ColdFusion client variables and J2EE session variables,
jsessionid
you must pass the
ColdFusion provides the
•
If the client does not accept cookies, automatically appends all required client identification
information to a URL.
•
If the client accepts cookies, does not append the information.
The
URLSessionFormat
sends only the required information. It also provides a more secure and robust method for
supporting client identification than manually encoding the information in each URL, because it
only sends the information that is required, when it is required, and it is easier to code.
To use the
URLSessionFormat
the following
cfform
required:
<cfform method="Post" action="#URLSessionFormat("MyActionPage.cfm")#>
Tip: If you use the same page URL in multiple
performance improvement and simplify your code if you assign the formatted page URL to a variable,
for example:
<cfset myEncodedURL=URLSessionFormat(MyActionPage.cfm)>
<cfform method="Post" action="#myEncodedURL#">
Client identifiers and security
The following client identifier issues can have security implications:
•
Ensuring the uniqueness and complexity of the
•
Limiting the availability of Session identifiers
The next sections discuss these issues.
Ensuring CFToken uniqueness and security
By default, ColdFusion uses an eight-digit random number in the
format provides a unique, secure identifier for users under most circumstances. (In
CFToken
ColdFusion MX, the method for generating this number uses a cryptographic-strength random
number generator that is seeded only when the server starts.)
However, in the ColdFusion MX Administrator, you can enable the Settings page to produce a
more complex
CFToken
creates the
CFToken
UUID. The resulting
3ee6c307a7278c7b-5278BEA6-1030-C351-3E33390F2EAD02B9
320 Chapter 15: Using Persistent Data and Locking
links, tags,
cflocation
, , and
CFID CFToken
URLSessionFormat
function automatically determines which identifiers are required, and
function, enclose the request URL in the function. For example,
tag posts a request to another page and sends the client identification, if
identifier. If you enable the Use UUID for cftoken option, ColdFusion
value by prepending a 16-digit random hexadecimal number to a ColdFusion
identifier looks similar to the following:
CFToken
tags, or
form cfform
values in URLs.
jsessionid
function, which does the following:
URLSessionFormat
identifier
CFToken
tags the tags must pass the
functions, you can gain a small
identifier. This
CFToken
CFID
CFID