Question
This code in the Application.cfm (I know it should probably be .cfc, but this is some old code dating back to MX) for cookies used to work just fine on CF8 and CF9 - but I moved this to a local directory using CF10 Developer edition and it did not work until I commented out that block. Here's the error when reaching the index.
https://stackoverflow.com/questions/16359659
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe system has attempted to use an undefined value, which usually indicates a programming error, either in your code or some system code.
Null Pointers are another name for undefined values.
The error occurred in C:/ColdFusion10/cfusion/wwwroot/TFT/Application.cfm: line 3
1 : <!--- APPLICATION settings --->
2 : <cfif IsDefined("cfid")>
3 : <cfcookie name="cfid" value="#cfid#" expires="NOW">
4 : <cfcookie name="cftoken" value="#cftoken#" expires="NOW">
5 : </cfif>
This is the current code in Application.cfm:
<!--- APPLICATION settings --->
<!--- 5/1/13 removed cookies temporarily
<cfif IsDefined("cfid")>
<cfcookie name="cfid" value="#cfid#" expires="NOW">
<cfcookie name="cftoken" value="#cftoken#" expires="NOW">
</cfif>--->
<!--- Define the application parameters--->
<cfapplication name="TFTAdmin" clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="No"
sessiontimeout="#CreateTimeSpan('0','4','0','0')#"
applicationtimeout="#CreateTimeSpan('0','4','0','0')#">
<!--- Create cookies that disappear when the browser closes as to increase security --->
<cflock scope="session" type="readonly" timeout="5">
<cfcookie name="cfid" value="#session.cfid#">
<cfcookie name="cftoken" value="#session.cftoken#">
</cflock>
EDIT: There's more code in this file - but it seems irrelevant.
Solution
What happens if you properly scope your variables? cfid could be defined in the variables scope as a null value.
<cfif structKeyExists(session,"cfid")>
<cfcookie name="cfid" value="#session.cfid#" expires="NOW">
<cfcookie name="cftoken" value="#session.cftoken#" expires="NOW">
</cfif>
OTHER TIPS
Because you were on a new server I suspect that you managed to get your cookies into a state where the didn't have values that made sense.
I'm not sure fixing the code is important anyway, because it appears to be doing something nonsensical. But a quick fix of the code would be to do this:
<cfif IsDefined("cfid")>
<cfcookie name="cfid" value="" expires="NOW">
<cfcookie name="cftoken" value="" expires="NOW">
</cfif>
It's still only testing for cfid but it's not setting the values of the cookies. The values don't matter because the code is expiring the cookies.
The reason I said the code was nonsensical is because the Cookie scope is part of the scope evaluation order. So what the code as a whole is doing is saying "if cookies exist, remove them and then set new cookies with new values." So users will get a fresh session on every page refresh. That is the same as not having any session management in the first place. So you might as well set sessionmanagement="false" and remove both cookie blocks of code.
It's possible, tho unlikely, that this code came about because someone wanted to provide a little bit of extra security by not allowing the session to be changed via URL/form variables, thus limiting session hijacking. However the way that it was implemented doesn't solve that issue either.
