ColdFusion 4.5.1 SP2 and Up: Recommended settings for client variable storage
Issue
ColdFusion Server stores client variables either in the system Registry (the default), a data source, or as persistent cookies in a client's browser. Some websites, however, do not wish to write client variables as persistent cookies. This article explains best practices for client variable storage.
Background information:
What are persistent cookies?
Persistent cookies are cookies that exist even after a client browser is closed. For instance, if a customer visits a website, and checks "Remember My Login" next to his username and password, the website is likely writing a persistent cookie to his browser. When the customer returns, the website looks for the cookies associated with the site, and returns information based on the cookie values. Per-session cookies are non-persistent, however, meaning they are written to the clients browser memory and not the client's hard drive. In short, per-session cookies no longer exist when the browser is closed while persistent cookies remain available for future browser sessions.
Choosing client variable storage in ColdFusion Administrator:
To view or choose client variable storage method, follow these steps:
- Open ColdFusion Administrator: http://[yourserver]/cfide/administrator/index.cfm.
- Click on "Variables."
- Choose Registry (default), Cookie, or specify a data source to store your client variables.
What are CFID, CFTOKEN, and CFGLOBALS?
When using client management, ColdFusion uses the CFID, CFTOKEN, and CFGLOBALS variables to track information about a user's browser session. CFID and CFTOKEN identify a clients browser. CFGLOBALS holds global data about the client, such as HitCount, TimeCreated, and LastVisit. Developers may create and maintain other client specific information through client-scoped variables. The values for these variables are stored according to the client variable storage method specified in ColdFusion Administrator, and the cfapplication tag.
How are CFID, CFTOKEN, and CFGLOBALS stored?
By default, CFID and CFTOKEN are stored as persistent cookies through the cfapplication tag attribute,"SetClientCookies.""SetClientCookies" is set to "yes" by default, causing ColdFusion to write CFID and CFTOKEN as persistent cookie values in the client browser. For details on writing CFID and CFTOKEN as-Per-Session cookies instead, please read ColdFusion 4.5 SP2 and Up: How to write CFID and CFTOKEN as per-session cookies (Article 17915).
By default, CFGLOBALS is stored in the server's system registry. If client variable storage is "Cookie" in the ColdFusion Administrator, however, ColdFusion writes CFGLOBALS and all client-scoped variables as persistent cookies on the client browser.
Important note: The "ClientStorage" attribute within thecfapplication tag overrides the client variable storage settings in the ColdFusion Administrator. Therefore, if client storage is "Registry" in ColdFusion Administrator, but the"ClientStorage" attribute of cfapplication is"Cookie," ColdFusion Server will write a persistent cookie instead of storing the client data in the registry.
Preventing Errors with Client Variables
ColdFusion throws an error if "SetClientCookies" is set to no and"ClientStorage" is set to cookie. In this case, the ColdFusion error occurs because ColdFusion cannot use the specified client store:
Error Occurred While Processing Request Error Diagnostic Information SETCLIENTCOOKIES You have set SETCLIENTCOOKIES to NO and the CLIENTSTORAGE attribute was set to COOKIE.
Preventing Security Risks with Client Variables
If cflocation tag redirects a URL with a ".cfm" ending, by default, ColdFusion automatically appends a Client.URLTOKEN value to the URL. The Client.URLTOKEN is one of six built-in read-only client scope variables made up from the combined values of CFID and CFTOKEN, such as CFID=IDNum&CFTOKEN=TokenNum. Appending sensitive data such as the CFID and CFTOKEN to the URL is a security risk. Please readSecurity Best Practice: URL session variables and HTTP_REFERER (Article 17255) for more details. To prevent this, set the addtoken parameter of cflocation to "no."
Recommended Client Variable Storage Method
Client variables can be stored in the Registry, in cookies, or in a database (CF 4.x and 5 - ODBC, OLEDB, or Native; CFMX - ODBC or JDBC).
- Client variables in the registry: By default, the client variable storage method installed by ColdFusion is in the registry. Storing client values in the registry can cause performance degradation, however, as the size of the registry increases. This leads to server instability. See Deleting client variables stored in the registry (Article 17881) for details on how to clean the client variables from the registry.
Summary: We do not recommend storing client variables in the registry for large, scalable applications. - Client variables stored in persistent cookies: Although storing client variables in cookies offers scalability to a large number of clients, it does have limitations:
- Client browsers must have cookies enabled.
- Most browsers impose a 4KB-size limit on cookies.
- Most browsers limit the number of cookies per site to 20.
- For security reasons, websites may not wish to write persistent cookies.
Summary: We do not recommend storing client variables as cookies on websites where users may disable cookies, the user's company may prohibit persistent cookies, or websites that need to store large amounts of client variable data. - Client variables stored in a database: Macromedia recommends a dedicated RDBMS database as the most efficient and secure mechanism for storing client variables. Additionally, this option works across server clusters, and websites who wish to protect client information by not storing the data on the client machine. Please follow the instructions below to store client variables in a database.
Summary: We strongly recommend storing client variables in a database for scalable applications with many clients.
Solution
- Create a data source (CF 4.x or 5 - ODBC, OLE DB, or a native data source; CFMX - ODBC or JDBC) for the client variable storage mechanism.
- Use the ColdFusion Administrator to configure this data source for client variable storage. Detailed instructions can be found by searching for "External Client State Management" in the ColdFusion documentation or follow the instructions in the next step.
- Choose "Variables" from the menu in the ColdFusion Administrator. Select the new data source as the client variable store in the ColdFusion Administrator and "Add." Make sure that"Create client variable data source tables" is checked; this will create the tables and fields in your newly created data source.
- In Application.cfm templates, do not specify the"ClientStorage" attribute within the
cfapplicationtag.
Additional Information
Related TechNotes:
- ColdFusion 4.5 SP2 and Up: How to write CFID and CFTOKEN as per-session cookies (Article 17915)
- Macromedia Security Zone
- Security Best Practice: URL session variables and HTTP_REFERER (Article 17255)
- How to set a 'domain cookie' with ColdFusion 4.0.x (Article 17432)
- Cookies and cflocation (Article 17023)
- Do not set blank cookies with cfcookie (Article 17009)
- Deleting client variables stored in the registry (Article 17881)
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
