ColdFusion Session Management

Session management is an important aspect of web application development. ColdFusion provides robust and easy-to-use tools for managing sessions. A session is a series of requests from the same user over a certain period of time. It allows you to persist data between requests and remember user-specific information.

Enabling Session Management

Session management can be enabled at the application level in the Application.cfc file:

<cfset this.sessionManagement = true>

This code goes in the this scope outside of any functions. You can also specify a timeout for sessions. The timeout is the period of inactivity after which the session is automatically ended. This can also be set in the Application.cfc file:

<cfset this.sessionTimeout = createTimeSpan(0, 0, 30, 0)>

This sets the session timeout to 30 minutes. The createTimeSpan function takes four arguments: days, hours, minutes, and seconds.

Using Session Variables

Once session management is enabled, you can use session variables to store user-specific information. Session variables are set like this:

<cfset session.myVariable = "Some value">

Session variables can be read like this:

<cfoutput>#session.myVariable#</cfoutput>

And they can be deleted like this:

<cfset structDelete(session, "myVariable")>

Session Events

In the Application.cfc file, there are two special functions related to session management:

  • onSessionStart: This function is automatically called by ColdFusion when a new session is started. It’s a good place to initialize session variables.
  • onSessionEnd: This function is automatically called by ColdFusion when a session ends, either because of timeout or because you explicitly ended the session. It’s a good place to clean up session variables or log the end of the session.

Here’s an example of how you might use these functions:

<cfcomponent>

    <cfset this.sessionManagement = true>
    <cfset this.sessionTimeout = createTimeSpan(0, 0, 30, 0)>

    <cffunction name="onSessionStart" returntype="void" output="false">
        <cfset session.visitCount = 0>
    </cffunction>

    <cffunction name="onSessionEnd" returntype="void" output="false">
        <!--- Cleanup code goes here --->
    </cffunction>

</cfcomponent>

In this example, we initialize a visitCount session variable to 0 whenever a new session starts. You could increment this variable on each page visit to keep track of the number of pages the user has visited during their session.

Protect your Session Scopes from Bots & Web Crawlers

Bots and web crawlers can create a strain in ColdFusion due to exhaustion in the Java heap space environment. These issues most commonly occur when bots and web crawlers are not given a short session timeout within ColdFusion. Unlike traditional visitors, bots do not have access to cookies, and as a result, a new session is created for each individual request it makes. As the number of bot sessions continues to grow within ColdFusion, the Java heap space region slowly runs out of resources until a crash occurs.

Fortunately, there are methods to help prevent these incidents. A simple solution for this would be to ensure you’re only giving bots and crawlers very short session timeouts.

Listed below are a couple of code samples that display how you could achieve this within your ColdFusion application:

Application.cfm Example

Place the following at the top of your Application.cfm file:


<!--- Checks if the visitor is accepting cookies and assigns a low session timeout if not. --->

<cfif StructKeyExists(cookie, "cfid") or StructKeyExists(cookie, "jsessionid")>

<cfset REQUEST.sessiontimeout = CreateTimeSpan(0,0,30,0) />

<cfelse>

<cfset REQUEST.sessiontimeout = CreateTimeSpan(0,0,0,3) />

</cfif>

Then use the REQUEST.sessionTimeout variable to set the session timeout within your cfapplication tag:


<cfapplication name="xByteCloud"

sessionmanagement="Yes"

sessiontimeout="#REQUEST.sessionTimeout#">

Application.cfc (tag-based) Example

You can set the Session Timeout like this:


<!--- This checks if a cookie is created, for bots this will return false and use the low session timeout --->

<cfif StructKeyExists(cookie, "cfid") or StructKeyExists(cookie, "jsessionid")>

<cfset this.sessiontimeout = CreateTimeSpan(0,0,30,0) />

<cfelse>

<cfset this.sessiontimeout = CreateTimeSpan(0,0,0,3) />

</cfif>

If you have any questions or encounter issues, please don’t hesitate to reach out to [email protected].