Hi,
We're just trying to migrate to MX from 5. We're having some problems
with session management.
Our site does not use cookies for session management - rather a unique
identifier (not the CFID/CFTOKEN pair) is sent through the URL.
Now, in 5, Coldfusion would still set (probably our own fault here, but
this is beside the point :)), a cookie with the CFID/CFTOKEN.
What we would do is say:
Is there a URL identifier?
yes:
Do some work here to make sure CfApplication will know it's an existing
session
no:
Set the cookies to blank
Call cfapplication - which will create a new CFID/CFTOKEN and session
This still works to an extent. We no longer generate cookies, and
therefore for new users with a fresh browser, this still works.
However, if you already have a CFID/CFTOKEN set in your browser from
our site, MX creates a session in the "no" case above, to the values in
your cookie. What's worse is that if the cookie is blank, it creatse a
session with a blank CFID/CFTOKEN pair. What this means is that in
testing, we had the entire company using one session (as we all had
CFID/CFTOKEN cookies that were blank). This seems like a pretty
serious bug at least.
Obviously as some sort of "release task", we need to delete these
cookies from peoples' browsers. Or better yet, have ColdFusion ignore
blank cookie values - or preferably cookies totally in the call to
cfapplication. I am unable to find any documentation that suggests
anything like this is possible.
Whilst I can test for the cookie key existence, then redirect to a page
that deletes the cookies and meta refreshes back to the index.cfm, we
have non-browser http clients that access our site via form submission,
so this isn't necessarily an option.
Anyone have an ideas?
Thanks
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia
http://www.mxdu.com/ + 24-25 February, 2004
