When a browser makes a request to a server, the web server and the browser create environment variables. In ColdFusion, these variables are referred to as CGI environment variables. They take the CGI prefix regardless of whether the server uses a server API or CGI to communicate with the ColdFusion Server.
Environment variables contain data about the transaction between the browser and the server, such as the IP Address, browser type, and authenticated username. You can reference CGI environment variables for a given page request anywhere in the page. CGI variables are read-only.
Note: The environment variables available to applications depend on the browser and server software.
Testing for CGI variables
Because some browsers do not support some CGI variables, ColdFusion always returns True when it tests for the existence of a CGI variable, regardless of whether the browser supports the variable. To determine if the CGI variable is available, test for an empty string, as shown in the following example:
<cfif CGI.varname IS NOT "">
CGI variable exists
<cfelse>
CGI variable does not exist
</cfif>
CGI server variables
The following table describes common CGI environment variables that the server creates (some of these are not available with some servers):
CGI server variable
Description
SERVER_SOFTWARE
Name and version of the information server software answering the request (and running the gateway). Format: name/version.
SERVER_NAME
Server's hostname, DNS alias, or IP address as it appears in self-referencing URLs.
GATEWAY_INTERFACE
CGI specification revision with which this server complies. Format: CGI/revision.
SERVER_PROTOCOL
Name and revision of the information protocol this request came in with. Format: protocol/revision.
SERVER_PORT
Port number to which the request was sent.
REQUEST_METHOD
Method with which the request was made. For HTTP, this is Get, Head, Post, and so on.
PATH_INFO
Extra path information, as given by the client. Scripts can be accessed by their virtual pathname, followed by extra information at the end of this path. The extra information is sent as PATH_INFO.
PATH_TRANSLATED
Translated version of PATH_INFO after any virtual-to-physical mapping.
SCRIPT_NAME
Virtual path to the script that is executing; used for self-referencing URLs.
QUERY_STRING
Query information that follows the ? in the URL that referenced this script.
REMOTE_HOST
Hostname making the request. If the server does not have this information, it sets REMOTE_ADDR and does not set REMOTE_HOST.
REMOTE_ADDR
IP address of the remote host making the request.
AUTH_TYPE
If the server supports user authentication, and the script is protected, the protocol-specific authentication method used to validate the user.
REMOTE_USER AUTH_USER
If the server supports user authentication, and the script is protected, the username the user has authenticated as. (Also available as AUTH_USER.)
REMOTE_IDENT
If the HTTP server supports RFC 931 identification, this variable is set to the remote username retrieved from the server. Use this variable for logging only.
CONTENT_TYPE
For queries that have attached information, such as HTTP POST and PUT, this is the content type of the data.
CONTENT_LENGTH
Length of the content as given by the client.
CGI client variables
The following table describes common CGI environment variables the browser creates and passes in the request header:
CGI client variable
Description
HTTP_REFERER
The referring document that linked to or submitted form data.
HTTP_USER_AGENT
The browser that the client is currently using to send the request. Format: software/version library/version.
HTTP_IF_MODIFIED_SINCE
The last time the page was modified. The browser determines whether to set this variable, usually in response to the server having sent the LAST_MODIFIED HTTP header. It can be used to take advantage of browser-side caching.
CGI client certificate variables
ColdFusion makes available the following client certificate data. These variables are available when running Microsoft IIS 4.0 or Netscape Enterprise under SSL if your web server is configured to accept client certificates.
CGI client certificate variable
Description
CERT_SUBJECT
Client-specific information provided by the web server. This data typically includes the client's name, e-mail address, etc. For example: O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU = Persona Not Validated, OU = Digital ID Class 1 - Microsoft, CN = Matthew Lund, E = mlund@macromedia.com
CERT_ISSUER
Information about the authority that provided the client certificate. For example: O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98", CN = VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
CLIENT_CERT_ENCODED
The entire client certificate binary, base-64 encoded. This data is typically of interest to developers,so they can integrate with other software that uses client certificates.
Comments are no longer accepted for ColdFusion MX. ColdFusion 8 is the current version.
Comments
zackmsg
said on
Jun 17, 2002
at
3:19 PM :
Behind a firewall's proxy server, I have found "CGI.HTTP_X_Forwarded_For" to reveal the User's actual IP Address rather than the proxy server's IP when using "CGI.Remote_Addr"
ctina
said on
Jul 19, 2002
at
3:07 PM :
Update from Macromedia, in response to zackmsg, re "CGI.Remote_Addr": thanks for your comment. We've logged a bug on this issue.
Christina Lamkin, CF MX documentation team
kgilchrist
said on
Nov 12, 2002
at
3:26 PM :
CERT_SUBJECT seem to be broken, i.e. unpopulated on iPlanet 6 SP4. I just upgraded from CF 5 -> CFMX and the CLIENT_CERT_USER_DN disappeared and CERT_SUBJECT is unpopulated.
Previously, CLIENT_CERT_USER_DN was populated under iPlanet while CERT_SUBJECT was populated under IIS.
I'll log a support call about this.
mdinowitz
said on
May 5, 2003
at
8:42 PM :
There are additional reserve words not covered in the next three chapters. These include expression elements (EQ), CFSCRIPT specific items (for) and older items that trip people up (_required). An old article on this can be found here:<BR>
http://www.fusionauthority.com/alert/index.cfm?alertid=6#Tech2
cfmahen
said on
Dec 10, 2003
at
11:59 PM :
We did an upgrade to 6.1 and rolled back to 6.0. Now the variable HTTP_USER_AGENT from the CGI scope is giving a blank value !! Would greatly appreciate help. Thanks !
note : using a Sun One (iplanet) web server.
No screen name
said on
Jan 31, 2004
at
1:45 AM :
I have CFMX 6.1 installed on LINUX. When a 404 FILE NOT FOUND error occurs, I load a custom .cfm error page. Unfortunately none of the CGI variables includes the path/filename of the file which was not found -- which I am used to Windows system.
Is there a way to find out the name of the file which was not found??
halL
said on
Feb 2, 2004
at
7:29 AM :
CGI.SCRIPT_NAME should do what you want. 404 errors generated by requesting a cfm page that CF cannot find cause a missing template error, which is handled by the missing template error page specified in the ColdFusion MX Administrator. It is this page which must try to use the variable. See http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/errors16.htm.
Note that while the comment refers to ColdFusion MX 6.1, this page is in the ColdFusion MX documentation. In this case, there is no substantive difference in the pages, however.
No screen name
said on
Feb 11, 2004
at
2:35 AM :
I have installed ColdFusion MX with IIS server. When using NT authentication, i am not getting any CGI variable (like CGI.Auth_User)passed to ColdFusion page. The only exception is that the user is Administrator on the server. I have tried all avialable help on macromedia sites and some others but no success. Any help will be greatly appreciated.
22
said on
Aug 18, 2004
at
5:48 AM :
Macromedia Technical Support told me that there is a bug or problem with the NSAPI. They recommend only IIS or Apache web server to detect certificate variables.
casey@kangasoft
said on
Oct 29, 2004
at
4:34 PM :
cgi.http_referer taking 10 seconds on mx6.1!
Using GetTickCount on both sides of <cfset referer = cgi.referer>
how could this happen, i thought it gets this info from the request header.. should be a string manipulation.... should never take 10 secs!
bizarrojack
said on
Nov 20, 2004
at
12:31 AM :
Just fyi, it would appear that "#referer#" is already automatically set to match "#CGI.HTTP_REFERER#".
It came as a bit of a surprise to me earlier today. . . very frustrating if you find yourself doing a <cfif "#referer#" is ""> for any reason. I've not yet found documentation on this. Who knew?
No screen name
said on
Dec 1, 2004
at
1:17 PM :
FYI. I've noticed that not all browsers use the same properties when they generate the request header. For example, some browsers don't populate the HTTP_REFERER property. So, If you rely upon the value to determine if a page is being used in the proper sequence -- beware.
No screen name
said on
Dec 16, 2004
at
9:41 AM :
One thing we are working through is in Internet Explorer, the "#CGI.HTTP_REFERER#". is not passed to a child window that has been opened with javascript. Now when we use Netscape, it does. Dunno if this is a true bug or just bad programming, but I will keep you informed...
"I'd use the window.opener property. If the window has been opened using a window.open(), then window.opener.location should contain the url of the opening document. Alternatively, you could look at window.opener.document.referrer to get the opener's referrer"
Seems to work for me in IE too. OTOH, I'm not sure how to capture Javascript values in CF, e.g. for use in a CFIF deal.
HelloHarry
said on
Apr 9, 2005
at
4:24 PM :
I have set up my error handling which prints out all errors to an html file with all the relevant error info. One thing that I noticed is that I receive many errors with the HTTP Referrer value missing. What does this mean? Can anyone help?
jrunrandy
said on
Apr 19, 2005
at
9:00 AM :
My experience is that HTTP_REFERER is not consistently handled by all browsers.
tSpark
said on
Jun 15, 2005
at
6:52 PM :
Just to add to the other comments regarding the cgi.http_referer, I've also read that some versions of Norton Personal FIrewall, by default, block the http_referer from being passed from the browser. People can go in and change this setting to block/unblock it.
daveww
said on
Dec 19, 2005
at
8:46 AM :
Thanks for that tsparck - you just saved me a *lot* of time figuring that out for myself. In Norton Internet security 2005 you have to turn off "Browser Privacy" for cgi.http_referer to get set.
dpinero
said on
May 12, 2006
at
1:43 PM :
In discussion "CGI.QUERY_STRING" it reads "Query information that follows the ? in the URL that referenced this script." I needed the complete URL, not just anything after the ?. Luckily I tried what I needed to do and to my surprise I found I could get an entire URL back while using this command on my designated 404 page. I got back the following: "404;http://www.mywebsite.com:80/directory" - which represents the site my users were trying to reach when they got the 404 page instead. Not sure if this is unique to me for any reason, but if not, it would be helpful to point this out in the docs. In my case I can now build a 404 page that routes people automatically to other places based on where they intended to go.
ChivertonT
said on
Jul 14, 2006
at
2:30 AM :
@bizarrojack: You shouldn't be surprised that ' "#referer#" is already automatically set to match "#CGI.HTTP_REFERER#" '. When you reference an unscoped variable, CF will try several different scopes for you. Yes, this can be very confusing which is why you should ALWAYS scope your variables.
ChivertonT
said on
Jul 14, 2006
at
3:21 AM :
@bizarrojack: You shouldn't be surprised that ' "#referer#" is already automatically set to match "#CGI.HTTP_REFERER#" '. When you reference an unscoped variable, CF will try several different scopes for you. Yes, this can be very confusing which is why you should ALWAYS scope your variables.
Tim_D
said on
Aug 24, 2006
at
1:21 AM :
@ChivertonT With respect to CF automatically trying other scopes if none is specified, that is documented and expected, but in this case, leaving the scope aside, the variable names are different (HTTP_REFERER versus REFERER)
Schuchert
said on
May 15, 2007
at
10:42 AM :
CLIENT_CERT_ENCODED gives no value using CF7.02, Windows 2003 on IIS6
halL
said on
May 30, 2007
at
7:47 AM :
CLIENT_CERT_ENCODED is not supported in ColdFusion 6 or later. We will remove it from the documentation in a future release.
Comments
zackmsg said on Jun 17, 2002 at 3:19 PM : ctina said on Jul 19, 2002 at 3:07 PM : kgilchrist said on Nov 12, 2002 at 3:26 PM : mdinowitz said on May 5, 2003 at 8:42 PM : cfmahen said on Dec 10, 2003 at 11:59 PM : No screen name said on Jan 31, 2004 at 1:45 AM :