Cf11 cfid, cftoken questions
his late and my brain went to mush. I recently installed CF 11 company on my cell, win7 / install IIS 7.5 without problems during. My problem is that when I tried to run one of our applications CF10 he started to puff up and noticed that once more CFID and CFtoken have been added to the url. In a previous post, I mentioned that the addition of 'add token = no' to cflocation tags clarified the conversion of 9-10 CFId edition.
So now to 11 his back, setting add token only = no causes errors because I did not secure profile defined on my install because is an instance of development. I'm going through administrator settings to try to turn that this off I can't find anything.
Is the only way to not get CFID and CFToken added that the url is profile course setting?
CF11 makes also the first two pairs of keys /value after the? rather than add at the end of the url.
I can't understand code or errors for the moment because I'm home cannot vpn into work.
puzzled.
jbird5k wrote:
... I noticed that once more CFID and CFtoken have been added to the url. In a previous post, I mentioned that the addition of 'add token = no' to cflocation tags clarified the conversion of 9-10 CFId edition.
So now to 11 his back, setting add token only = no causes errors because I did not secure profile defined on my install because is an instance of development. I'm going through administrator settings to try to turn that this off I can't find anything.
To avoid that Coldfusion CFID and CFToken in URL, turn on and maintain sessions. Perform the following 3 steps:
1. turn on the use of application and session variables in ColdFusion administrator.
2. in your application, set the application name, applicationtimeout, sessionmanagement, sessionTimeout and setClientCookies in Application.cfc or equivalently, in the
3. restart ColdFusion.
Tags: ColdFusion
Similar Questions
-
CFID and CFTOKEN cookies are set for each path in my site
I've turned on to my session management site, and I noticed that every time I navigate to a new directory in my site (for example, monsite.fr to mysite.com/myfolder), I get an extra pair of session cookies.
When I consult my cookies in chrome, I get something like:
Name Value Field Path CCFC 11188 mondomaine.fr / CFTOKEN 3810856 mondomaine.fr / CCFC 11188 mondomaine.fr /MyFolder CFTOKEN 3810856 mondomaine.fr /MyFolder Thus, this pair of CFID/CFTOKEN cookies gets set for each different path that I click on as I'm browsing my site.
Is this normal?
It seems wrong to me, is it possible to fix it?
Thank you.
You can also try to search for
, it's another way to manually adjust cookies. Or search for the string "SET_COOKIE". -
I've updated a 10 ColdFusion to ColdFusion 11 30 days test Server Enterprise trail edition with update 7.
However, whenever I hit refresh in my browser, I get a new CFID. Thus, a valid session is found for the login page does not work.
I have checked my cookie and the session in the coldfusion administration page in my browsers, they are created properly.
That's what I have in my application.cfm
< CFAPPLICATION NAME = "TESTWEB".
CLIENTCOMM = 'Yes '.
SETCLIENTCOOKIES = "Yes".
SESSIONMANAGEMENT = "Yes".
SESSIONTIMEOUT = "#CreateTimeSpan (7,0,0,0) #
SETDOMAINCOOKIES = "No" >
However, when I open the page on the host computer, then the cfid is not Exchange whenever I hit refresh, if everything works.
When connecting, I got the code defining the CFID/cftoken cookie, but since I changed to SETCLIENTCOOKIES = "Yes", I removed the code. The only other place would be in logout.
I do not use jsessionids, only coldFusion session IDs.
Timeout for all session variables is 7 days.
Any idea what can cause my problem?
In the ColdFusion Admin page, I go to the server-> memory Variable settings and I see use J2EE clear session variables, select Variables of Application and allow the checked Session Variables. I have 7 days for the time-out period for the Application of Variables and 20 minutes of 7 days for the Sessions Variables Maximum and default timeout. In setting of Session Cookie, the cookie time-out is 15768000 minutes and HTTPOnly is checked.
Do you think that these settings are correct? This is where JEE session is located?
-
How do I configure HTTPOnly and SECURE FLAG for session cookies
Hi all
To solve some problems of vulnerability (found in ethical hacking, penetration testing) I need to implement session cookies (CFID, CFTOKEN, JSESSIONID) with 'HTTPOnly' (so don't not to access any other HTTP APIs rather than Javascript). Also, I need to set up a 'secure flag' for these session cookies.
I found the solutions below.
To implement the HTTPOnly for session cookies.
1] in application.cfc, we can do this using the code below. "Or we can do it in the side admin CF under the server settings ' memory Variables
This.sessioncookie.HttpOnly = true;
To set up the course indicator for session cookies.
[2] in application.cfc, we can do this using the code below. "Or we can do it in the side admin CF under the server settings ' memory Variables
This.sessioncookie.Secure = 'true '.
Here's my question, how we can do the same thing in Application.cfm? (I use ColdFusion version 10). I know we can do using the code below, incase of HTTPOnly (for example).
< cfapplication setclientcookies = "false" sessionmanagement = "true" name = "test" >
< cfif NOT IsDefined ("cookie.cfid") or NOT IsDefined("cookie.cftoken") or cookie.cftoken IS NOT a meeting. CFToken >
< name cfheader = "Set-Cookie" value = "CFID is #session. CFID #; path = /; HTTPOnly">
< name cfheader = "Set-Cookie" value = "CFTOKEN is #session. CFTOKEN #; path = /; HTTPOnly">
< / cfif >
But in the code above "setclientcookies' has been set to"false ". In my application (it is an existing application) that has already been set to 'true '. If I change this to 'false' as mentioned in the above code then ColdFusion will not automatically send the CFID and CFTOKEN cookies to the client browser, and we need to manually code CFID and CFTOKEN on the URL for each page that uses the Session. Right?. And it's headaches. Right?. Or any other way to do it.
Your timely help is well appreciated.
Thanks in advance.
As I said earlier, the file I modified was {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. This translates on Windows as C:\ColdFusion11\cfusion\runtime\conf\web.xml.
Apparently, there could be another difference between your system and mine. I have just one instance. If you have 2 or more instances, it could be that the file you have to change is \WEB-INF\web.xml in the particular instance directory. This is the servlet configuration settings which you can test safely (after backing up your files, of course).
-
Domain and subdomain cookie conflicts...
We run a Web site on a subdomain (mysite.abc.com) while the other parties to the bosom of our company operate various other Web sites on the domain primary and other subdomains (www.abc.com, anothersite.abc.com, etc.). Our site is focused on ColdFusion, what are some (but not all) other sites of abc.com.
We started to experience a problem in which our key users their information in our log in page, log in and click on send only for that refreshing the page recently. No newspaper has failed in the attempt, just a refresh of the page. I saw the question mainly in Firefox, but I think it's just because our users perfer this browser. I can't reproduce the problem on my end, but then again I rarely use Firefox and don't often visit abc.com outside our own sites.
The only solution that seems to work is to delete cookies of the browser entirely, or if the user is opposed to this, simply "abc.com" cookies Doing so allows the user login in our website (again, mysite.abc.com) fine. I do not have all cookies from mysite.abc.com, so I'm lead to believe that it is a result of cookies of main domain somehow in conflict with ours.
Any thoughts? Everyone knows this?
EDIT: I did have the chance to test cookies from the main site which is the cause, but I guess that's the CFID/CFTOKEN. I'll know more once the user another meeting, assuming that I can spend time on their computer to do some tests and not have to rush-fix of the problem so that they can continue the work.
The real difficulty was simple, just remove CFID and CFTOKEN cookies first-thing of the main website on my page, connect using:
-
Session ends not with StructClear function
Normally, if you want to delete a session we do with StructClear function. But I don't see that it does not end in a user session because the same CFID and CFTOKEN values exist once we've cleared a session. This means so that it is not really ends a session. right?. But if we are expiring these cookies (CFID and CFTOKEN) values then we can see new values for these cookie variables. Here force us coldfusion to new values for these variables cookie but actaually there neither expired nor onSessionEnd() handler has been invoked.
So my question is how effectively ends the session. But it won't work if we use StructClear function because it erases a logical business identifier as reported in your business logic.
Anyone have any ideas on that.
Suppose that you set your session timeout to 2 minutes.
When you visit the page, you start a new session, CF generates a CFID/CFToken and SENDS that back to you in response to your first request.
When you visit a page before the session, your browser sends the CFID/CFToken with demand, CF sees this, check the this is a live session and does not issue you a new.
If you wait 2 minutes of a session timeout, CF kills the session, but not FACT NOT to MESS with your Cookies. It doesn't matter, because they are invalid anyway.
When you make a request, you send the CFID/CFToken now old, CF sees that it is not correlated to a live Session and generates a new CFID/CFToken it sends to you now and you update the cookies with the new values.
A session expires on the server is NOT because ColdFusion deletes the cookies from the user's browser. It States only that "for this combination CFID/CFToken, the session no longer exists, so let me generate a NEW session for you and send you it is CFID/CFToken to correlate your visitor to the new SESSION scope.
In the meantime the timeout and check your cookies should show the last cookies you had when you request. Nothing new.
In your onSessionEnd() method, it will BE the old values because when the session expires, this method gets a COPY of the scope SESSION and APPLICATION, (the SESSION just expired) and it's the old data CFID/CFToken. CF performs as one might expect. What you trying to do? I think that the problem here is that you don't understand how work sessions.
A SESSION that CF is when he takes a cookie CFIF/CFToken provided the user request and checks to see if it is valid. If so, then all the variables stored in the SESSION scope are made available for the processing of this application. These cookies act as a means of your browser, say who they are. By default, Session values are stored in RAM.
When you do not apply for an amount of time specified in the THIS.sessionTimeout value, CF mess with cookies on your computer. He says simply. "Hey, these variables that I wanted for the SESSION which was for CE CFID and CFToken THIS, well, delete them. The session has expired. The browser will not see anything different either until he makes another request.
When you make a request, once again, your browser provides CF CFID and CFToken cookies, but this time CF says ' Hey, that the session has expired, so I'll make a new one for you (lights off the coast of the onSessionStart() method) and he referred to a new CFID and CFToken cookie to the user who now matches the new session.» A session that will stay alive as long as the user makes requests in the specified time-out period.
If you have deleted your cookies, the SESSION would still be ALIVE, but it would simply be inaccessible, and after the time-out value, SEE it would expire. But if you have deleted your cookies, to present a request to the server, we're no. CFID/CFToken cookies sent, so CF would create a new session for you and will send you a new CFID/CFToken.
-
Flex RemoteObject for CF8 security & amp; channel
I'm a newbie convert a cfm for flex site and have questions about the implications of the management of the State on the client.
In my cfm site I put a SESSION.variable to 'isSignedIn' which CF server stores and (via CFToken cookie accompanying applications for next page) associated with say OwnerID = 17. As well as the client computer does not always receive OwnerID = 17.
However, using < mx:RemoteObject > flex application changes status from the successful connection - but how server not CF know that subsequent data of this application requests are for OwnerID = 17 except OwnerID = 17 is stored on the client machine and accompanies each "message"?
I have researched rather extensively and understand that (IF I'm not sure) < mx:RemoteObject > establishes a 'permanent' (until this disconnected) pipe/channel on the CF server then the "header" OwnerID = 17 is not necessary - but I don't know if this is the case, or if < mx:RemoteObject > is NOT a string of 'constant '. , but only once called message & return structure has the HTTP.
And if this is a constant string, what are the performance implications on the CF of this server (seems it would be masterminds of resources). Probably so, "constant" channel could only be closed by the customer (he did not seem to be any SESSION.variable as parameters?)
I realize there are protections of encryption available for storage on the client as and for data packets from transit but I'm I correct by saying that sending OwnerID = 17 down to the customer at any time is a security risk (ie. motivate replication of a GUID based analogy stored object - variable aka SESSION - for my app)?
Thanks in advance for all comments and feedback.For others who may be reading this thread (and to express the thanks and credit if necessary, the following text was provided by the guru of ColdFusion itself):
benforta: you can use the same thing, if you set a SESSION on the CF server and id and the token will set, as RemoteObject uses the HTTP protocol
benforta: but, generally, most stuff session in a CF/Flex app belongs on the client, with the exception of the actual recorded in the State
me: so if RemoteObject using HTTP is it accurate to say 1) connection is not a constant string and 2) the CFID, CFToken cookie "header" must be attached to every RemoteObject communication?
benforta: correct
benforta: AMF financial are customer initiated over HTTP through the browser
me: and this CFID, CFToken "header" that accompanies each AMF message is defined by the cookie installed in the browser (for example) page index.cfm who responsible for the flex application (it is saying and NOT a second CFID, CFToken allocated to the flex app as a flex object stored by CF)?
benforta: OK, cookies must get returned by the browser in an HTTP request, and a request of the authority of the financial markets is an HTTP request
benforta: as long as it's the same field (and the path as appropriate), same rules that any browser content
me: do you have an idea how this would result in an AIR application?
benforta: quite different animal, applications are not from a browser, will be trickier
-
CF2016 - Alias/cf_scripts / scripts on the built-in Web server
I am following the guide lockdown here:
The guide proposes to move/cf_scripts/scripts directory, I did.
The guide also offers using only the web server integrated access to the ColdFusion administrator, this is how I put it in place.
The guide also indicates that you need to create an alias for the directory moved to the built-in web server. See page 58 of the PDF.
If you plan to use the built-in web server to access the ColdFusion administrator, you may need to create an alias for/cf_scripts/scripts if you have changed the default Script Src in ColdFusion administrator.
To create a new Alias for/cf_scripts/scripts on the built-in web server
If you plan to use the web server to access the ColdFusion administrator, then you must also add an alias by adding a tag context inside the tag of the located server.xml file host: /opt/cf11/cfusion/runtime/conf/server.xml
< context path = ' / '.
docBase = "/ opt/cf11/cfusion/wwwroot".
Workie = "/ opt/cf11/fusion/runtime/cone/Catalina/localhost/tamp.
alias = "/ coscripts = / opt/cf11/fusion/wwwroot/CFIDE/scripts" / >
Restart ColdFusion, and then test by visiting /cfscripts/cfform.js on your server of builtin.
There are a ton of typos in the present (Workie vs WorDir, vs conf cone, Pack vs coscripts vs cfscripts, tmp, etc..
This also seems to be referencing the paths cf11 (CFIDE/scripts vs /cfscripts/cfform.js vs cf_scripts/scripts/cfform.js and cf_scripts/scripts).
In addition, coldfusion - error.log notes the following:
WARNING: A context path should be an empty string or start with a ' / ' and do not end with a ' / '. [The path [/] does not satisfy these criteria and has been replaced by]
WARNING: [SetPropertiesRule] {Server/Service/engine/host/context} setting property 'alias' to ' / cf_scripts/scripts = / cf_scripts/test_scripts "did not find a corresponding property.
The first line is not a problem, but the second line is. alias is not a valid property of the context.
The server.xml file is an example, and it is as follows:
"< context path =" "docBase =" < cf_home > / wwwroot "WorkDir =" "< cf_home > / runtime/conf/Catalina/localhost/tmp" > "
< resources >
< base preResources = "docBase1" className = "org.apache.catalina.webresources.DirResourceSet" webAppMount ="/ aliasPath1" / > "
< base preResources = "docBase2" className = "org.apache.catalina.webresources.DirResourceSet" webAppMount ="/ aliasPath2" / > "
< / resource >
< / context >
It aligns with the Apache docs.
I have CF installed on Windows, to F:\CF_2016\. That's what I did to alias the directory of scripts (renamed to test_scripts for testing) for the built-in web server:
< context path = "/" docBase = "F:/CF_2016/cfusion/wwwroot" WorkDir = "F:/CF_2016/cfusion/runtime/conf/Catalina/localhost/tmp" >
< resources >
< base preResources = className "F:/CF_2016/cfusion/wwwroot/cf_scripts/test_scripts" = "org.apache.catalina.webresources.DirResourceSet" webAppMount = "/ cf_scripts/scripts" / > "
< / resource >
< / context >
It seems to work. Is this correct? Wouldn't be an alias as \Scripts or /cfscripts instead of/cf_scripts/scripts?
Why exactly should I alias this to the administrator?
Thank you
Hello
I was in the same boat (we are defining a profile secure for testing) and I see no one answered you so I want to offer what we were doing.
webAppMount = "/ {NEW_CFSCRIPTS_VIRTUAL_DIRTORYNAME" / >} "
You see, I believe the problem you had previously was that the base should be the physical directory and the webAppMount should be the virtual directory.
You were correct about the typos in the "official" document
I don't know if it's important or not, but we have also created the directory "tmp" (quoted above) within the "{YOUR_DRIVE} :/. "{CFROOT} / cfusion/runtime/conf/Catalina/localhost / ' because it is not there by default.
Kind regards
David -
Hello
The bots send CFID/CFTOKEN in the request headers? Is this a reliable way to detect if a bot has visited? Agent user test led to hundreds of channels to test against and is a constantly growing list. Is there a more reliable way to detect bots in 2014 with CF?
Thank you
Mark
What operating system do you use? The amount of traffic you get? I recently installed a third IIS Web Application Firewall for a client called Aqtronix WebKnight. It has many rules of blocking/filters and provides protection before the request actually to the layer of ColdFusion.
https://www.aqtronix.com/?PageID=99
Session ID is normally transmitted through FORM, URL or COOKIE settings. Vulnerability of many scanning services will attempt to generate their own and alternate session variables in an attempt to cause the web application to give them an existing session or throws an error. Some robots will retain a session that they have undertaken to access several pages, but they can choose to not send tokens at any time (or chips bad.) If you have already placed CFTokens in the URL, Google and other search engines might be inadvertently follow them & their indexing. (I've seen a lot of people to share links on Facebook that contain their URL personal session...) If you click on it pretty fast, you can usurp their session).
I do not provide application sessions to bots... it is a waste of resources. I block many of the default user agents used by the scripts. It is not 100% effective because they can be changed, but it retains a large number of script-kiddies.
Here's a technique I've documented regarding the use of ColdFusion to block the fake Googlebots. This same method can be used to block the fake BingBot & YahooSlurp user agents too.
http://gamesover2600.Tumblr.com/post/93345023759/identify-block-fake-Googlebots-using-cold fusion -
When you use cfhttp to lose jsessionID?
" For years, I used < cfhttp url = ' http://myserver.com/MyFile.cfm?#session.urlToken# "> to make catches and the widespread use of session currently connected-component plug-in software of the user." This was not a problem in a CF8/IIS6 environment. I recently moved the application in an environment CF10/IIS7 and he dislikes this call. The entire application is managed by cflogin, that is, it returns just my login screen. After some research, I can say that jsessionID that contains the cfhttp response header is not the same jsessionID that I send through the url. Of course, what causes the server think it is a new session and return to the login screen.
I know to put it in place with SSL is a pain and I fought with him a lot in the past, but this configuration is strictly http on port 80.
Things I've tried:
* Uncheck the box "Use UUID for cftoken" in the CF admin
* Uncheck the box for "Enable Global Script Protection"
* analyze the session.urlToken variable to send each variable (CFID, CFTOKEN, JSESSIONID) as a cookie/url via cfhttpparam
* disabled "HTTPOnly" for session cookies
I even looked at the variable #session.urltoken # resulting and tried to hijack the session from another machine - no dice. It always returns the login screen. On my box CF8, I can hijack the session with this information.
Clues as to the things to try? My hunch is that it's a security thing and I thought for sure to uncheck "enable Global Script Protection" would fix, but it did not. I know that the jsessionid format is a little different with CF10 (CF9?) because it is "XXXXXXXX.cfusion". I thought that the '.cfusion' might have caused confusion somewhere in the setup - IIS, thinking it was a type of file and the denial by request filtering? But it wasn't the case either.
Any help is greatly appreciated.
God you damn Adobe forums. You have just watered up to 15 minutes of typing.
Restart:
After 10 minutes of searching on this (so please take it with a grain of salt), I found something unique with chips CF10 and JEE and this is the point in the session token. This point is get coded when you try to convey it in a cookie. I found that the following has allowed me to maintain the session.
Note that I also found that Tomcat (which manages the JEE sessions) is case-sensitive as well. Thus, the JSESSIONID cookie that you pass MUST be uppercase.
I wasn't able to get the session to persist in passing the token in the URL. Regardless of the encoding. Maybe it's a bug in CF10. If the session fixation, the cause, and then using the JVM combined with the use of upper case JSESSIONID should solve that.
Hope this helps,
Jason
-
Variable not defined session immediately after CFSET session.var = "data".
Hello, everyone.
Got a real head scratcher (of least for me that is.)
Just to experiment a little, it is not (yet) project, but something I would like to as reusable code for future projects.
I try to write code that will clear session variables when the browser is closed, - THEN - separate session variables to the client by changing and expiring cookies cfid and cftoken.
In my Application.cfc, I have the following:
onSessionStart: <cfif NOT StructKeyExists(session,"app")><cfinvoke component="components" method="setDirs" returnvariable="session.app"></cfif> <cfset oRequest = getPageContext().getRequest()> <cfset session.cookies = oRequest.getHTTPRequest().getCookies()> <cfcookie name="cfid" value="#session.cfid#"> <cfcookie name="cftoken" value="#session.cftoken#"> onSessionEnd: <cfloop index="local.cookiename" list="cfid,cftoken,cfmagic"><cfcookie name="#local.cookiename#" value="" expires="now"></cfloop>
On the page that appears, I have:
<cfset session.cookies = getPageContext().getRequest().getHTTPRequest().getCookies()> <cfoutput> <cfloop index="idx" array="#session.cookies#">#idx.getName()# = #idx.getValue()# - Expires: #idx.getMaxAge()#</cfloop> </cfoutput>
The above is where appears the error message "Cookies" not defined in the Session Didn't I just put session.cookies, twice?
Thank you
^_^
You can't.
To change a browser cookies, you must communicate with the browser. This is done when the CF server sends the HTTP response for a request for this browser.
onSessionEnd() - by its nature - only works when it is not communicating with the browser, and has not been any communication from the browser at least the period [session timeout]. So you can monkey with the scope of the cookie all you like in there, but the changes are never sent to the browser, because the browser has long since "left the building" as it was.
HTTP is connectionless, and the browser is not communicating with the CF Server in any case (him speak only of browser on the web server), there is no way for the CF server know that the client has closed his browser. Everything that takes place on the client machine, and CF is sitting on the server see Even the web server does not know what is happening on the client user interface.
What you can do is to put the cookies and session to have a very short time, so that expire them quickly once there is no activity to refresh.
--
Adam
-
Major bug with storage Var MX 7.0.2 Client?
I think I found what looks to be a pretty big bug for client variable storage in CFMX. Strangely, the bug actually exists in CFMX 6.1 and CFMX 7.0.2 (the two versions, I test against), but only cultures upward in 7.0.2. In addition, you will notice that I say it's a matter of client variable (it is), but the bug seems to be with JSESSIONID, I thought only relate to session variables. My statement of the problem is that the variable customer 'disappear' after having been defined. In a Word, I log onto my site, which fixed a couple of variables customer, and then when I browse another page on the site, client variables are no longer in existence (it seems as if I've never connected before). I'm running CFMX 7.0.2 Enterpise (deployment of WAR) on Red Hat Enterprise Linux 4.0 (update 3) using the internal JRun web server and using J2EE session variables.
After a bit of detective work, I noticed by looking at the HTTP headers on my first visit to the site (with no existing cookie set) which JSESSIONID is defined * double * when I first hit my site. However, a JSESSIONID is being stored in cglobal table while the other JSESSIONID is stored in the actual cookie, which causes subsequent research of incompatibility. Therefore, it seems that if I have never connected before.
Here are the relevant header information when you first visit the site:
HTTP/1.x 200 OK
Set-Cookie: CFID = 102; expires = Thu, August 14, 2036 13:20:27 GMT; path = /.
Set-Cookie: CFTOKEN=66021081eab5f673-3609FCE3-CF52-FC2B-25E974A728406FC5;expires=Thu,14-Aug-2036 13:20:27 GMT; path = /.
Set-Cookie: JSESSIONID = 583033e973025152237c; path = /.
Set-Cookie: JSESSIONID = 58306b4060d425456d5c; path = /.
Date: Tuesday, August 22, 2006 13:20:27 GMT
Content-Language: en-US
Content-Type: text/html; Charset = UTF-8
Connection: close
Server: JRun Web server
See how there are two directives Set-Cookie JSESSIONID? The interesting part is that CFMX 6.1 (on Solaris, at least) is exactly the same, as long as the Set-Cookie guidelines double go. However, here's where 6.1 MX and MX 7.0.2 differ...
If you look at what's coming in the real cookie compared to what is stored in the column 'data' in the table cglobal MX 7.0.2 you will see (based on the header above information):
urltoken = CFID #= 102 & CFTOKEN #= d 66021081eab5f673-3609FCE3-CF52-FC2B-25E974A728406FC5 & jsessioni #= 583033e973025152237c #lastvisit = {ts' 2006-08-22 09:20:27 ""} #timecreated = {ts ' 2006-08-2209:20:26'}#hitcount=2#cftoken=66021081eab5f673-3609FCE3-CF52-FC2B-25E974A72840 6 FC 5 #cfid = # 102}
The key bit is the JSESSIONID value, that has the value 583033e973025152237c. However, the cookie JSESSIONID value is 58306b4060d425456d5c.
The same comparison with CMFX 6.1, the HTTP header info:
HTTP/1.x 200 OK
Set-Cookie: CFID = 3499; expires = Thu, August 14, 2036 13:31:50 GMT; path = /.
Set-Cookie: CFTOKEN=525ea9a5badb14f2-36146ADA-DCAC-CE63-1706ADD070C8F8E1;expires=Thu,14-Aug-2036 13:31:50 GMT; path = /.
Set-Cookie: JSESSIONID = 86308f1257484a747d6c; path = /.
Set-Cookie: JSESSIONID = 8630627b049162583e68; path = /.
Date: Tuesday, August 22, 2006 13:31:50 GMT
Content-Type: text/html; Charset = UTF-8
Connection: close
Server: JRun Web server
And this is the value of cglobal.data column:
urltoken = CFID # 3499 = & CFTOKEN #= 525ea9a5badb14f2-36146ADA-DCAC-CE63-1706ADD070C8F8E1 & jsession id #= 8630627b049162583e68 #lastvisit = {ts' 2006-08-22 09:32:03 '} #timecreated = {ts ' F8E1 2006-08-2209:31:50'}#hitcount=9#cftoken=525ea9a5badb14f2-36146ADA-DCAC-CE63-1706ADD070C8 #cfid = # 3499}
And the cookie JSESSIONID value is 8630627b049162583e68.
Note the key change in behavior between 6.1 MX and MX 7.0.2? 6.1, even if the two Set-Cookie instructions were updated, the logic of client variable storage at least systematically used second JSESSIONID value. In 7.0.2 it appears that the first JSESSIONID value is stored in the table cglobal while the second JSESSIONID value is stored in the table cglobal.
This is where the plot gets complicated still further... Even if my client variables are not returned on the following clicks through my site (he tells me I'm not connected), values for CFID/CFTOKEN/JSESSIONID are * not * re - put on each page. In fact, if I query the cglobal table directly out of my CFID/CFTOKEN, hitcount and lvisit values are actually updated!
It is a major obstacle in our migration process. Can someone dig a hole into my configuration/logic and point out something I am doing wrong? The craziest part about this, for me, is the client variables which disappear even if it looks like the culprit is the JSESSIONID value. I even tried to extinguish the J2EE session variables and exactly the same problem occurs.
Kind regards
Dave.AAAAAAAARRRRRRRGGGGGGGHHHHHHHH! I got it!!!
I am frustrated with Adobe right now, but I finally got inside the client variable issue. You know how the accession of ColdFusion is believed to be cumulative? Yes, well, not so much. It turns out that the CFMX 7.0.2 release is available with 3.3 DataDirect JDBC drivers. In addition, it seems that something in the client variable code between MX 6.1 and 7.0.2 regressed so that updates of the client variable under the hood has broken with all pilot pre - 3.5. Once I updated to pilots of 3.5, everything worked, including the spy feature and the variable updates the customer.
Adobe, this must be resolved as soon as POSSIBLE. It's a huge show-stopper for site using client variables. I don't know if it is limited to Oracle because I have other RDBMS platforms to test against, but is a big problem. The difficulty here is update installation programs that are downloadable from your site with 3.5 drivers * and * update 7.0.2 Release notes note that the game 3.5 driver isn't in any downloaded bits before every time that you update the installation programs.
Jochem, thank you very much for your persistence in helping me through this issue.
Kind regards
Dave. -
Hello
On CF9, I'm having no problem. Currently, I'm testing on a new webserver with CF11 update 10. The error I get is:
0 is not equal to 0 or greater than zero or less the range passed to ArraySet must start with a number greater than zero and less than or equal number of second.
Here is a snippet of my code (do not know if you will need more than that). The code in bold is where there is say it is any mistake on and I think that's where I need to make a change. I'm more or less looking for other ideas on what to check or if something has changed since CF9 that I have not read on. I tried referencing to my question but still can't find a good solution. I was told to create a new thread.
---
< cfset Battambang = ValueList (crosstabcolumns2.ts_desc) >
< cfset bucketheaders = ListToArray (list) >
< cfset b = ArrayLen (bucketheaders) >
< cfset bucketarray = ArrayNew (1) >
< cfset bucketTotal = ArrayNew (1) >
< cfset temp = arrayset(bucketTotal,1,b,"0") >
< cfoutput query is group of 'summedresultsNewOld' is "classcode" >
< table border = "1" cellpadding = "5" >
< tr > < th '225' = width > CAMPUS MAIN < /th >
< cfloop index "i" = From = "1" to = "#b #" >
< th > #bucketheaders [i] # < /th >
< / cfloop >
< width th = "125" > TOTALS < /th >
< /tr >
< cfoutput group = "ts_type" >
< tr > < th > #ts_type # < /th >
< cfset temp = arrayset(bucketarray,1,b,"0") >
< cfoutput >
< cfset i = listfind (Battambang, trim (summedresultsNewOld.ts_desc)) >
< cfset temp = ArraySet (bucketarray, I, I, summedresultsNewOld.headcount) >
< cfset temp = ArraySet (BucketTotal, i, i, (BucketTotal [i] + summedresultsNewOld.headcount)) >
< / cfoutput >
< cfset rowtotal = 0 >
< cfloop index = 'j' from = "1" to = "#b #" >
< cfset rowtotal = #rowtotal # + #bucketarray [j] # >
< td width = "125" > #bucketarray [j] # < table >
< / cfloop >
< td > #rowtotal # < table >
< /tr >
< / cfoutput >
< b >
< th bgcolor = "# 999999" > TOTALS < /th >
< cfloop index = 'j' from = "1" to = "#b #" >
< td bgcolor = "# 999999" > #BucketTotal [j] # < table >
< / cfloop >
< td bgcolor = "# 999999" > #ArraySum (BucketTotal) # < table >
< /tr >
< /table >
< / cfoutput >
---
This is the result of what she should look like (currently in CF9). Any help is appreciated!
On the top of my head, you set i of ListFind(), which returns 0 when the element is not found in the list.
If you are SURE that the element is in the list, try to use ListFindNoCase() - it could be a sensitive issue.
HTH,
^_^
PS: Check to make sure everything is balanced () would have, and that list items do not have white spaces. Which can also cause an element can't find not.
-
CFID and CFTOKEN yet defined when using J2EE sessions
I use CF10 and "Use J2EE session variables" are selected in the admin of CF.
When I visit an application, I get the JSESSIONID cookie, but I also get persistent cookies CFID and CFTOKEN. The app that I work with is older and using Application.cfm instead of Application.cfc, but the ClientComm and setclientcookies application attributes are set to false.
I don't know why CFID and CFTOKEN are still fixed. Are independently defined parameters of customer management and the session?
When I followed post Nadel on forcing the CFID and CFTOKEN as session cookies, I found that these cookies are not at all if the SetClientCookies to the application property is set to false:
As the docs (well, the CF8 that Google docs is) point out, the default value for SetClientCookies is true so it's why I was getting CFID and CFTOKEN.
Thank you for pointing me in the right direction!
-
J2EE checked - but still have CFID and CFTOKEN Cookies?
Hello everyone, I am working through that PCI thing and I have everyting correctly defined by Adobe - but I still get a failure due to prediciptable cookies. Here's what I puzzle me: this article (http://kb2.adobe.com/cps/404/kb404762.html) says that J2EE replaces CF_ID and CF_TOKEN - but my server generates a CFID and CFTOKEN (No. emphasis added) anyway? With verified J2EE, why are these same cookies fixed? How can I get rid of them - they are why my PCI is a failure?
Add this.setClientCookies = "false" on your Application.cfc or srtClientCookies = 'false' for you
say ColdFusion is not to set cookies. " NOTE: I hope you are not client variables.
Maybe you are looking for
-
11.0 Firefox crashes, I have no idea why. I have re-installed without Add-ons and JavaScript disabled without result. I uninstalled Chrome, too, just in case there was a conflict. I am now under 11.61 Opera which is fine.
-
Macbook Pro 17 "since mid-2007 update
Hi all I currently have a MBP 17 "bought mid-2007. So far, the computer is doing well (for a 9yo computer). I just upgraded to El Capitan without problem. However, for some years now, my computer is slow (which is I guess than expected). I was trying
-
How do you get the hands on the master drive of windows xp home edition because mine broke in two
get your hands on record year 2003
-
printer problems / deskjet 5550 not work with usb to parallel / tried everything
Hello Could someone please help. I'm not getting my old printer HP deskjet 5550 for work on an Acer ASpire 5542 laptop, I got the cable converter USB to parallel (1284) this morning - since... no joy in getting it to print. -L'usb parallel cable driv
-
Problems with the Windows and Windows Update problem of Installation of KB2416472 component.
Original title: I use SFC. EXE Error detected How can I fix this, or I have to re - install window again. CSI 0000015a [SR] cannot repair the military record [l:24 {12}] "settings.ini" Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESS