> So, you're saying that the only time I would have to append > the CFID/CFTOKEN variables to URL's, etc., would be when > I have SETCLIENTCOOKIES to "No"? Otherwise, CF will > set client cookies even without ClientManagement = "Yes"?
That is correct. If you think about it, that makes sense. CF needs to be able to set some sort of cookie, even for session variables. Otherwise, how would it know who's who? Setting ClientManagement="Yes" simply allows you to use client variables -- literally the ability to type <cfset client.myVariable = "value">. If that attribute is missing or is set to "no" in your <cfapplication> tag, CF will throw an error saying you can't use client variables. The SetClientCookies attribute, on the other hand, is the determinant as to whether or not CF will attempt to set a cookie or not when attempting to use a client or session variable. Since the default value of this attribute is "yes", most developers skip this tag and just make the (correct) assumption that CF will take care of the cookie. > Seems like I may be confusing the term "ClientManagement" > as it applies to cookies, thinking that it only, and not > "SessionManagement", > applies to cookies, when actually those terms refer to types of variables, > but also both involve cookies...would that be correct? Both ClientManagement *and* SessionManagement will attempt to set a cookie on the user's browser. Summary: Cookies are used in both instances. The only difference between the two forms of state management is that session variables are stored in server memory, while client variables are stored in the registry, cookies, or a database. > PS - I think the issue of why my some of my clients have had problems > accessing site management areas that involve cookies and session variables, > has to do with browser security settings, mostly. And the browser > version... > *AND* the use of AOL's software when trying to perform management functions > on their site. I had one user tonight trying to work throught the AOL > interface, > which was using IE 5.5, but was unable to maintain session state. I would agree with your assessment on browser settings being a partial, if not total, culprit. Since the media has put the fear of God in consumers concerning the supposed security risks of using cookies, the browser vendors raised the default security level in their respective browser products to counter the publicity. What you might want to look into are the obvious things you can do to help alleviate these problems. The one thing that comes to mind is the compact policy I mentioned earlier. It's easy to generate, and might help out on some of your issues. I found the link from IBM's site for more info: http://www.alphaworks.ibm.com/tech/p3peditor/ Also, if this becomes a persistent headache for you, you may want to explore the possiblity of setting SetClientCookies to "no" and then manually appending the CFID/CFTOKEN to each link on your site. I know that sites like Verisign do this. Regards, Dave. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
