Unit 13: Working with Variables

1
Maryland ColdFusion User Group Session Management
101
11 December 2001 Michael Schuler michael_at_macromedi
a.com
2
Agenda

• Addressing the Webs Statelessness
• The Application Framework
• Session Variables
• Locking Shared Variables

3
The Web's Statelessness

• You will need to persist information across pages
  in order to
• Validate user authentication at login, and
  maintain that authentication throughout the
  session
• Personalize the users experience
• Maintain information about the users session -
  for example, a shopping cart

4
The Web's Statelessness

• HTTP creates a new connection for every page
  request
• Variables and flags set during one request are
  not available for the next request
• Work around this problem by using  
• Cookies
• Application framework
• Session variables

5
Securing Applications

• You need to
• Authenticate them on first access by giving them
  a login page
• Allow access to an application for a
  predetermined session time or time without
  activity
• Secure each page to be sure they cannot bookmark
  a page and circumvent the login

6
Security Components

• Secure your Web pages by using the following
  security components
• Login page and login action page to authenticate
  users against a database table of users
• Application Framework to test for login on each
  page in the application
• Session variables to persist a logged in flag for
  each page in the application

7
Cookie Types

• There are two types of cookies you can create
• Persistent cookies
• Session cookies
• Both can be created using the ltCFCOOKIEgt tag
• Differentiated by the use of the EXPIRES
  attribute.

8
Persistent vs. Sesssion Cookies

• Persistent Cookies
• EXPIRES attribute determines when the cookie gets
  deleted from the browser machine
• EXPIRES "n"
• EXPIRES "date"
• EXPIRES "never
• EXPIRES "now"

9
Session Cookies

• Created by omitting the EXPIRES attribute from
  the ltCFCOOKIEgt tag
• Only valid until all the browser sessions on that
  client machine are closed
• Use this value when you only want to track the
  user for the current session
• Destroyed when the browser sessions close, and
  are never stored in a file on the browser machine

10
Persistent State Variables

• Variables that allow you to store information
  once, and then share it in an application, a
  session or the entire server.
• Server
• Application
• Session
• Client
• Request

11
Session Variables

• Session variables are
• Stored in the Web server's memory
• Lost when the Web server is restarted
• Used for single site visit
• In order to use Session variables, you will need
  to
• Check the ColdFusion Administrator for Session
  settings
• Enable Session variables within your
  Application.cfm file
• Set Session variables in your ColdFusion pages

12
ColdFusion Administrator Settings

• Session variables must be enabled before use.
• Check the following settings in the ColdFusion
  Administrator to
• Make sure that Session variables have not been
  disabled
• Set/reset the Session variables default and
  maximum timeout settings

13
ColdFusion Administrator Settings 11-21

• Found in the ColdFusion Administrator in the
  Server Settings section under Memory Variables

14
Enabling Session Variables

• Enable session variables in the Application.cfm
  file
• ltCFAPPLICATION name"CoffeeValley"
  sessionmanagement"Yes"sessiontimeoutCreateTime
  Span("0", 1", 0, "0")gt
• Enables session variables and sets expiration to
  1 hour after last browser activity for each
  session

The maximum timeout default in the ColdFusion
Administrator is 20 minutes. Change this value in
order for the above tag to allow timeout at 1
hour.
15
Session Variable Process

• The first time a browser requests a page from
  ColdFusion, it will encounter the ltCFAPPLICATIONgt
  tag. This is always placed in an Application.cfm
  file.
• ColdFusion will generate a unique identifier for
  the browser. The unique ID is made up of two
  values CFID and CFTOKEN.
• Two cookies are created and sent to the browser
  CFID and CFTOKEN.
• These two values are also stored in the Web
  servers memory within the application. This is
  the link between the Web server and the browser
  session.

16
Session Variable Process
17
Creating Session Variables

• Session variables are stored in server memory
  with the matching CFID and CFTOKEN values
• Each session will have a separate set of
  variables
• Created using the ltCFSETgt tag
• The Session. prefix is required
• ltCFSET Session.BGColor"red"gt

18
Creating Session Variables
19
Disabled Cookies

• If a browser has disabled the receipt of cookies,
  your ColdFusion application will need to pass the
  client information for every page request
• Append CFID and CFTOKEN on URL
• Pass CFID and CFTOKEN in hidden form controls
• Use ADDTOKENYes to CFLOCATION tag

20
Demonstration

• Using Session Variables to Secure All Application
  Pages

21
Locking Shared Variables

• Application and session (as well as server) scope
  variables are shared
• These variables can be set and retrieved at the
  same time
• Setting/getting values from the same place in
  memory at the same time can cause corruption, and
  can lead to system failure
• Session variables can collide if
• The user hits Refresh in their browser while it's
  already processing a Session variable
• A Session variable is used within a frameset
• Every read and write of shared memory values
  requires the use of the ltCFLOCKgt tag to ensure
  memory integrity

22
ltCFLOCKgt

• Locks variables or code for the duration of the
  tag
• Two types of locks
• Exclusive lock for variable setting
• Read-only lock for variable getting
• ltCFLOCK TIMEOUT "timeout in seconds " SCOPE
  "Application" or "Server" or "Session"
  THROWONTIMEOUT "Yes" or "No" TYPE
  "readOnly/Exclusive "gt
• lt!--- variable set or get ---gt
• lt/CFLOCKgt

23
Setting Variables

• All sets of shared memory variables must be
  locked exclusively
• An exclusive lock single-threads access to the
  CFML constructs in its body
• Implies that the body of the tag can be executed
  by at most one request at a time
• No other requests can start executing inside the
  tag while a request has an exclusive lock.
• ColdFusion issues exclusive locks on a
  first-come, first-served basis
• Use the ltCFLOCKgt tag around all writes to server,
  application and session variables.
• ltCFLOCK SCOPE"SESSION" TYPE"EXCLUSIVE"
  TIMEOUT"10"gt ltCFSET
  Session.UserName"FORM.UserName"gtlt/CFLOCKgt

24
Getting Variables

• A read-only lock allows multiple requests to
  concurrently access the CFML constructs inside
  its body
• Should be used only when the shared data is read
  only and not modified
• If another request already has an exclusive lock
  on the shared data, the request waits for the
  exclusive lock to be released
• ltCFLOCK SCOPE"APPLICATION"
  TYPE"READONLY" TIMEOUT"10"gt
  ltCFOUTPUTgt
• Welcome Session.UserName!
• lt/CFOUTPUTgtlt/CFLOCKgt

25
Demonstration

• Locking Session Variables

26
Questions

• ?