Using Coldfusion sessions without cookies

Question

Good Day,

We are trying to implement an API in Coldfusion 8 whereby cookies are not used - instead, we pass the cfid, cftoken and jsessionid by GET or POST for each request.

We are using mach-ii and its SessionFacade. I don't know if you require any further information about this; please mention if you do.

In Coldfusion Administrator, Client Variables are set to "Registry", Memory Variables are ticked for each of "Use J2EE Session Variables, Enable Application Variables, Enable Session Variables".

My Application.cfc pseudo-constructor looks like

<cfset this.name = "#cgi.server_name#" />
<cfset this.loginStorage = "session" />
<cfset this.sessionManagement = true />
<cfset this.setClientCookies = false />
<cfset this.setDomainCookies = false />
<cfset this.sessionTimeOut = CreateTimeSpan(0,1,0,0) />
<cfset this.applicationTimeOut = CreateTimeSpan(0,1,0,0) />

and there is nothing in onSessionStart or onSessionEnd.

To validate the session, I am using a plugin and in its preProcess method I have:

if (not getSessionFacade().has("authUserLoggedIn")){
    arguments.eventContext.clearEventQueue();
    arguments.eventContext.announceEvent("nologin", newEventArgs);
}

I think the first thing I'm not understanding is, are there any circumstances where it is necessary to send the cfid and cftoken when using J2EE sessions? Or does the jsessionid completely and totally replace their function?

Secondly, I want this one Application (and not the whole server) to not send cookies. In my Application.cfc, I have cookies set to disabled, yet it still tries to send a cookie containing the jsessionid.

This has what I consider to be strange side effects:

On Firefox with cookies disabled, then the cfid, cftoken and jsessionid entered into the URL correctly maintain the session state.

But we also used it with an iPhone App that does accept cookies. Before we fixed it by saving the cookie to local storage, when you closed the App and re-opened it, the cookie was lost. Regardless of the fact that the still valid cfid, cftoken and jsessionid were being sent in the URL, it still gave us a "Not logged in" error.

So I have three questions:

Firstly, when using J2EE sessions, are there any circumstances where I need to store and re-send the cfid and cftoken?

Secondly, is there an Application level setting I can use to force the jsessionid to be stored manually, and not use a cookie?

Thirdly, at which stage is a jsessionid picked up and the session variables populated from memory? Is this something I can debug or interrogate, so I can put something in to say

if jsessionid refers to a current, valid session {
    ...
}

Answer 1

This setting:

<cfset this.setClientCookies = false /> 

Prevents the client cookies (cfid/cftoken) from being set. This has to do with client management and not session management. you havenot set the clientManagement value in your properties so it's probably defaulted to true - meaning these values are being created but not set as cookies. If you are not passing them along on the URL (I'm speaking about the cfid/cftoken now) you may be creating lots of them. Check your registry :) And as a rule if you are not using them set clientmanagement to false.

CFID and CFTOKEN are used for client variables even if you have jsessionid; enabled. But they should not be needed for the session when using jsessionID.

There is no equivelent to setClientCookies in the app properties that I know of. Logically I would expect to see a "setSessionCookies=" so that you would have granular control over these vars. But that's not the case. I suspect it might be because CF is tapping into the underlying j2ee session architecture and this is the way it's done under the hood. But don't quote me.

However, I wonder why you don't just trap the jsessionID; in onSessionStart() and pass it along on your URLs as needed. Cookies might be set - or they might not based on the platform or client involved... but as long as you have it on the url you are good right?

Answer 2

This settings:

<cfset this.setClientCookies = false /> 

sets the CFID & CFTOKEN or JSESSIONID cookies. These are used for client AND session! So if you set this to false and you don't put CFID/CFTOKEN or JSESSIONID in the request url, you can't use session management.