Transcript Unit 13: Working with Variables

Maryland ColdFusion User Group
Session Management 101
11 December 2001
Michael Schuler
[email protected]
1
Agenda
 Addressing the Web’s Statelessness
 The Application Framework
 Session Variables
 Locking Shared Variables
2
The Web's Statelessness
 You will need to persist information across pages in order to:
 Validate user authentication at login, and maintain that authentication
throughout the session
 Personalize the user’s experience
 Maintain information about the user’s session - for example, a shopping cart
3
The Web's Statelessness
 HTTP creates a new connection for every page request
 Variables and flags set during one request are not available for the next request
 Work around this problem by using:
 Cookies
 Application framework
 Session variables
4
Securing Applications
 You need to:
 Authenticate them on first access by giving them a login page
 Allow access to an application for a predetermined session time or time without
activity
 Secure each page to be sure they cannot bookmark a page and circumvent the login
5
Security Components
 Secure your Web pages by using the following security components:
 Login page and login action page to authenticate users against a database table of users
 Application Framework to test for login on each page in the application
 Session variables to persist a logged in flag for each page in the application
6
Cookie Types
 There are two types of cookies you can create:
 Persistent cookies
 Session cookies
 Both can be created using the <CFCOOKIE> tag
 Differentiated by the use of the EXPIRES attribute.
7
Persistent vs. Sesssion Cookies
 Persistent Cookies:
 EXPIRES attribute determines when the cookie gets deleted from the browser
machine:




8
EXPIRES
EXPIRES
EXPIRES
EXPIRES
=
=
=
=
"n"
"date"
"never
"now"
Session Cookies
 Created by omitting the EXPIRES attribute from the
<CFCOOKIE> tag
 Only valid until all the browser sessions on that client machine are closed
 Use this value when you only want to track the user for the current session
 Destroyed when the browser sessions close, and are never stored in a file on
the browser machine
9
Persistent State Variables
 Variables that allow you to store information once, and then share it in an
application, a session or the entire server.
 Server
 Application
 Session
 Client
 Request
10
Session Variables
 Session variables are:
 Stored in the Web server's memory
 Lost when the Web server is restarted
 Used for single site visit
 In order to use Session variables, you will need to:
1. Check the ColdFusion Administrator for Session settings
2. Enable Session variables within your Application.cfm file
3. Set Session variables in your ColdFusion pages
11
ColdFusion Administrator Settings
 Session variables must be enabled before use.
 Check the following settings in the ColdFusion Administrator to:
1.
2.
12
Make sure that Session variables have not been disabled
Set/reset the Session variables default and maximum timeout settings
ColdFusion Administrator Settings
11-21
 Found in the ColdFusion Administrator in the Server Settings section under
Memory Variables
13
Enabling Session Variables
 Enable session variables in the Application.cfm file:
<CFAPPLICATION name="CoffeeValley"
sessionmanagement="Yes"
sessiontimeout=#CreateTimeSpan("0",
”1", “0”, "0")#>
 Enables session variables and sets expiration to 1 hour after last browser
activity for each session
The maximum timeout default in the ColdFusion Administrator is 20 minutes. Change this
value in order for the above tag to allow timeout at 1 hour.
14
Session Variable Process
1.
2.
3.
4.
15
The first time a browser requests a page from ColdFusion, it will encounter the
<CFAPPLICATION> tag. This is always placed in an Application.cfm
file.
ColdFusion will generate a unique identifier for the browser. The unique ID is
made up of two values: CFID and CFTOKEN.
Two cookies are created and sent to the browser: CFID and CFTOKEN.
These two values are also stored in the Web server’s memory within the
application. This is the link between the Web server and the browser session.
Session Variable Process
16
Creating Session Variables
 Session variables are stored in server memory with the matching CFID and
CFTOKEN values
 Each session will have a separate set of variables
 Created using the <CFSET> tag
 The Session. prefix is required
<CFSET Session.BGColor="red">
17
Creating Session Variables
18
Disabled Cookies
 If a browser has disabled the receipt of cookies, your ColdFusion application
will need to pass the client information for every page request
 Append CFID and CFTOKEN on URL
 Pass CFID and CFTOKEN in hidden form controls
 Use ADDTOKEN=“Yes” to CFLOCATION tag
19
Demonstration
 Using Session Variables to Secure All Application Pages
20
Locking Shared Variables
 Application and session (as well as server) scope variables are shared
 These variables can be set and retrieved at the same time
 Setting/getting values from the same place in memory at the same time can cause corruption, and can
lead to system failure
 Session variables can collide if:
 The user hits Refresh in their browser while it's already processing a Session variable
 A Session variable is used within a frameset
 Every read and write of shared memory values requires the use of the <CFLOCK> tag
to ensure memory integrity
21
<CFLOCK>
 Locks variables or code for the duration of the tag
 Two types of locks:
 Exclusive lock for variable setting
 Read-only lock for variable getting
<CFLOCK TIMEOUT = "timeout in seconds "
SCOPE = "Application" or "Server" or "Session"
THROWONTIMEOUT = "Yes" or "No"
TYPE = "readOnly/Exclusive ">
<!--- variable set or get --->
</CFLOCK>
22
Setting Variables
 All sets of shared memory variables must be locked exclusively
 An exclusive lock single-threads access to the CFML constructs in its body
 Implies that the body of the tag can be executed by at most one request at a time
 No other requests can start executing inside the tag while a request has an exclusive lock.
 ColdFusion issues exclusive locks on a first-come, first-served basis
 Use the <CFLOCK> tag around all writes to server, application and session variables.
<CFLOCK SCOPE="SESSION"
TYPE="EXCLUSIVE"
TIMEOUT="10">
<CFSET Session.UserName="#FORM.UserName#">
</CFLOCK>
23
Getting Variables
 A read-only lock allows multiple requests to concurrently access the CFML constructs
inside its body
 Should be used only when the shared data is read only and not modified
 If another request already has an exclusive lock on the shared data, the request waits for
the exclusive lock to be released
<CFLOCK SCOPE="APPLICATION"
TYPE="READONLY"
TIMEOUT="10">
<CFOUTPUT>
Welcome #Session.UserName#!
</CFOUTPUT>
</CFLOCK>
24
Demonstration
 Locking Session Variables
25
Questions
?
26