Day 5: ColdFusion 10 Session Enhancement

ColdFusion 10 added couple of session related function and add settings related to session cookie. First of all I notice that use UUID for CFTOKEN is default now enable so if you are moving from older version to ColdFusion 10 where cftoken wasn’t UUID and you were using datasource for client variables then make sure you update field size in database where you are storing client variables. SessionId generated from application name, cfid and cftoken.

Added new session cookie related setting where following can be setup at application or server level.

  • httpOnly : true by default
  • secure : false by default (true will 
  • domain : you can specify domain under cookie need to be created
  • timeout : All we know, life of cookie variable.

You can normally update ColdFusion cookie using coldfusion internal tag but this can be disabled at application by specifying setting sessioncookie.disableUpdate = true and same for authorization cookie authcookie.disableupdate=true.  At application level you can override server setting in Application.cfc file with following properties.

  • this.sessioncookie.httponly="true/false"
  • this.sessioncookie.secure="true/false"
  • this.sessioncookie.domain="domain name"
  • this.sessioncookie.timeout="no of days" (days)

Other than this two new function sessionInValidate() and sessionRotate() function added.

sessionInvalidate():

In validate your session and remove all session variables and on next request server will generate new session (CFID and CFTOKEN).

sessionRotate:

This function will create new session and invalidate old session. Before invalidating old session it will copy everything to new session. This one is useful to avoid session attack, you can create new session after user login into session.