Posts Tagged ‘ColdFusion

ColdFusion session management

ColdFusion session management is enabled by default. It utilizes CFID and CFToken as session identifiers. It sends them to the browser as persistent cookies with every request. If cookies are disabled, developers must pass these values in the URL. Session variables are automatically cleared when the session timeout is reached—but not when the browser closes.

Table 1: Default session scope variables:


  1. It is compatible with all versions of ColdFusion.
  2. It uses same session identifiers as ColdFusion’s client management.
  3. It is enabled by default.


  1. CFID and CFToken are created as persistent cookies.
  2. You can only use one unnamed application per server instance.
  3. Sessions persist when the browser closes.
  4. ColdFusion session scope is not serializable.

Tags : , , , , , , ,

Authentication in ColdFusion

ColdFusion features built-in server-side file search, Adobe Flash and Adobe Flex application connectivity, web services publishing, and charting capabilities. ColdFusion is implemented on the Java platform and uses a Java 2 Enterprise Edition (J2EE) application server for many of  its runtime services. ColdFusion can be configured to use an embedded J2EE server (Adobe JRun), or it can be deployed as a J2EE application on a third party J2EE application server such as Apache Tomcat, IBM WebSphere, and BEA WebLogic.


Web and application server authentication can be thought of as two different controls (see Figure 1). Web server authentication is controlled by the web server administration console or configuration files. These controls do not need to interact with the application code to function. For example, using Apache, you modify the http.conf or .htaccess files; or for IIS, use the IIS Microsoft Management Console. Basic authentication works by sending a challenge request back to a user’s browser consisting of the protected URI. The user must then respond with the user ID and password, separated by a single colon, and encoded using base64 encoding. Application-level authentication occurs at a layer after the web server access controls have been processed. This section examines how to use ColdFusion to authenticate and authorize users to resources at the application level.

Figure 1: Web server and application server authentication occur in sequence before accessis granted to protected resources.

ColdFusion enables you to authenticate against multiple system types. These types include LDAP, text files, Databases, NTLM, Client-Side certificates via LDAP, and others via custom modules. The section below describes using these credential stores according to best practices.

Best practices

  1. applicationTimeout = #CreateTimeSpan(0,8,0,0)#
  2. loginStorage = session
  3. sessionTimeout = #CreateTimeSpan(0,0,20,0)#
  4. sessionManagement = True
  5. scriptProtect = All
  6. setClientCookies = False (Use JSESSIONID)
  7. setDomainCookies = False
  8. name (This value is application-dependent; however, it should be set)

Tags : , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,