Contents > Developing ColdFusion MX Applications > Using Persistent Data and Locking > Managing the client state > Maintaining client identity Using client and session variables without cookies

Using client and session variables without cookies

Often, users disable cookies in their browsers. In this case, ColdFusion cannot maintain the client state automatically. You can use client or session variables without using cookies, by passing the client identification information between application pages. However, this technique has significant limitations, as follows:

• Client variables are effectively the same as session variables, except that they leave unusable data in the client data store.

  Because the client's system does not retain any identification information, the next time the user logs on, ColdFusion cannot identify the user with the previous client and must create a new client ID for the user. Any information about the user from a previous session is not available, but remains in client data storage until ColdFusion deletes it. If you clear the Purge Data for Clients that Remain Unvisited option in the ColdFusion MX Administrator, ColdFusion never deletes this data.

  Therefore, do not use client variables, if you do not require users to enable cookies. To retain client information without cookies, require users to login with a unique ID. You can then save user-specific information in a database with the user's ID as a key.

• ColdFusion creates a new session each time the user requests a page directly in the browser, because the new request contains no state information to indicate the session or client.

Note: You can prevent ColdFusion from sending client information to the browser as cookies by setting the setClientCookies attribute of the cfapplication tag to No.

To use ColdFusion client or session variables without using cookies, each page must pass the CFID and CFToken values to any page that it calls as part of the request URL. If a page contains any HTML href a= links, cflocation tags, form tags, or cfform tags the tags must pass the CFID and CFToken values in the tag URL. To use J2EE session management, you must pass the jsessionid value in page requests. To use ColdFusion client variables and J2EE session variables, you must pass the CFID, CFToken, and jsessionid values in URLs.

ColdFusion provides the URLSessionFormat function, which does the following:

• If the client does not accept cookies, automatically appends all required client identification information to a URL.
• If the client accepts cookies, does not append the information.

The URLSessionFormat function automatically determines which identifiers are required, and sends only the required information. It also provides a more secure and robust method for supporting client identification than manually encoding the information in each URL, because it only sends the information that is required, when it is required, and it is easier to code.

To use the URLSessionFormat function, enclose the request URL in the function. For example, the following cfform tag posts a request to another page and sends the client identification, if required:

<cfform method="Post" action="#URLSessionFormat("MyActionPage.cfm")#>

Tip: If you use the same page URL in multiple URLSessionFormat functions, you can gain a small performance improvement and simplify your code if you assign the formatted page URL to a variable, for example:

<cfset myEncodedURL=URLSessionFormat(MyActionPage.cfm)>
<cfform method="Post" action="#myEncodedURL#">

Contents > Developing ColdFusion MX Applications > Using Persistent Data and Locking > Managing the client state > Maintaining client identity Using client and session variables without cookies

ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting

Version 6.1

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

Comments

Add Comment

parrot person said on Jun 4, 2004 at 2:11 PM :

I tried disabling cookies entirely in my browser (IE 6), and then accessing a ColdFusion web site that uses session variables but does not pass the CFID token nor use the URLSessionFormat. It still worked. This article implies that it shouldn't. What gives?

Another anomaly, this article states, "do not use client variables, if you do not require users to enable cookies" but then goes on to explain how to "use ColdFusion client or session variables without using cookies".

halL said on Jun 9, 2004 at 7:27 AM :

Some elaborations on issues raised by Parrot Person:

The Privacy settings cookie control on Internet Explorer only disables cookies for the Internet zone, not the local system or intranet.
Even specifying your local system's true IP address may not be enough to keep IE from saving and sending back a cookie.

We should remove the word "client" from the sentance that includes "use ColdFusion client or session variables without using cookies".

Once a cookie is set in a browser, it automatically sends that cookie with each request.
Therefore, if a browser was set to use cookies previously, and you have not purged your cookies, the browser may already have CFID and CFTOKEN cookies for your site in its cookie cache. As long as the browser is set to use cookies, it will send them as part of the initial request for the ColdFusion page, and ColdFusion will get them and use them for session management. Setting setclientcookies="no" in the cfapplication tag only keeps ColdFusion from setting the cookies on the browser if they don't already exist; it does not prevent ColdFusion from getting cookies that have already been set. ColdFusion does not try to set the cookies if the request sends the cookies already.

Note: The behavior described in the previous paragraph is one reason why we generally recommend using J2EE Session management, (selected in the ColdFusion MX Administrator Memory Variables page) rather than pre-MX style ColdFusion session management. J2EE session management does not use persistent cookies for the session ID, so the session management information is cleared when the b

Mike.Schwartz said on Jul 8, 2004 at 2:03 PM :

Could you please post the end of that previous comment? It got cut off.

Thanks-

halL said on Jul 8, 2004 at 2:08 PM :

My sentence should have ended with "when the browser closes."

No screen name said on Aug 27, 2004 at 9:08 PM :

i am not able to figure out how to enable cookies could you help me please?? thanks

dpinero said on Nov 28, 2005 at 8:16 AM :

I believe you are missing a closing quotation in the ACTION statment.

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/6.1/htmldocs/shared11.htm

Add Comment