Table of Contents
Advertisement
Providing Session security
ColdFusion uses the same client identifiers for the Client scope and the standard Session scope.
Because the
CFToken
normally saved as cookies on the user's browser. These cookies persist until the client's browser
deletes them, which can be a considerable length of time. As a result, hackers could have more
access to these variables than if ColdFusion used different user identifiers for each session.
A hacker who has the user's
a web page during the user's session using the stolen
scenario is unlikely, it is theoretically possible.
You can remove this vulnerability by selecting the Use J2EE Session Variables option on the
ColdFusion MX Administrator Memory Variables page. The J2EE session management
mechanism creates a new session identifier for each session, and does not use either the
or the
cookie value.
CFID
Managing client identity information in a clustered environment
To maintain your application's client identity information in a clustered server environment, you
must specify the
The
setdomaincookies
variables used to identify the client to ColdFusion are stored at the domain level (for example,
.macromedia.com). If
cluster, ColdFusion migrates the host-level variables on each cluster member to the single,
common domain-level variable. Following the setting or migration of host-level cookie variables
to domain-level variables, ColdFusion creates a new cookie variable (
ColdFusion that domain-level cookies have been set.
If you use client variables in a clustered system, you must also use a database or cookies to store
the variables.
Configuring and using client variables
Use client variables for data that is associated with a particular client and application and that
must be saved between user sessions. Use client variables for long-term information such as user
display or content preferences.
Enabling client variables
To enable client variables, you must set the
Yes on every page. Because the Application.cfm file is included in all of the application's pages,
you enable client management in the
Application.cfm file. For example, to enable client variables in an application named SearchApp,
you use the following line in the application's Application.cfm page:
<cfapplication NAME="SearchApp" clientmanagement="Yes">
Choosing a client variable storage method
By default, Coldfusion stores client variables in the Registry. In most cases, however, it is more
appropriate to store the information as client cookies or in a SQL database.
and
values are used to identify a client over a period of time, they are
CFID
and
CFToken
cfapplication
setdomaincookies
attribute specifies that the server-side copies of the
and
CFID
CFToken
cfapplication
cookies could gain access to user data by accessing
CFID
and
CFToken
attribute in your Application.cfm page.
variable combinations already exist on each host in the
tag
cfapplication
tag, at the beginning of the
Configuring and using client variables
cookies. While this
CFID
and
CFID
) that tells
CFMagic
attribute to
clientmanagement
CFToken
CFToken
321
Advertisement
Table of Contents
Troubleshooting
