My Secret Life as a Spaghetti Coder
home | about | contact | privacy statement
Two or three weeks ago, I posted a call for help on the CFCDev mailing list regarding this strange problem I was having regarding sessions. I forget exactly how I described the issue, and I'm too lazy to look it up, so I'll just describe it again (and I'm sure now that I've solved it, this description will be much better than the first one):

Basically, when I posted a form in Adobe ColdFusion 6.1 whose action performed a cflocation with the cgi.query_string appended to the URL, and when links also appended that variable, all the sudden my session would become invalidated. I checked every reference to session. and couldn't find anywhere it would be happening in my code. I couldn't even tell exactly when it was happening even though I put markers in every place I could think of. But finally today I happened to look up at the URL and notice that CFID and CFTOKEN were there multiple times. Clearly that was the problem. After that, I was pretty sure the where the problem lied, so I went straight to it and fixed it. This was never a problem in CF7, that I have been able to reproduce.

If you'd like to reproduce it in CF6.1, here is some simple code to do so:

<cfapplication name="test_session_funkiness" sessionmanagement="true">
<cfparam name="" default="0">
<cfif is 0>
  The was 0.

<cfoutput><a href="middle.cfm?#cgi.query_string#">go to the middle</a></cfoutput>

<cflocation url="end.cfm?#cgi.query_string#">

we are at the end.
<cfoutput><a href="start.cfm?#cgi.query_string#">do it one more time</a></cfoutput>

If you set those files up and navigate to start.cfm, you'll see that "the was 0." is output in places you wouldn't expect.

I understand the cause, but I would have expected CF to behave as it does in 7, since (I'm guessing that) appending cgi.query_string to your URL would be fairly common practice. And, as a side note, I'm fairly sure I've run into this before - only I had just forgotten (it seeeeemed familiar). That's why I wrote it down this time (and to help anyone who may also have had the problem).

Hey! Why don't you make your life easier and subscribe to the full post or short blurb RSS feed? I'm so confident you'll love my smelly pasta plate wisdom that I'm offering a no-strings-attached, lifetime money back guarantee!

Leave a comment

Hi Sam,

the problem is that with <cflocation> the addtoken attribute HAD the default value of "yes". So unless you specified addtoken="no", CF would always append the session identifier to the URL.

I guess that was changed with CF MX 7, although it is not listed as changed in the CF Livedocs. Apparently MM changed quite a bit about this tag without telling anybody. ;-)


Posted by Christoph Schmitz on Mar 14, 2007 at 02:55 AM UTC - 6 hrs

Haha thanks for pointing that out Chris! I had completely forgot about the addtoken attribute.

/me slaps his forehead

Posted by Sam on Mar 14, 2007 at 07:39 AM UTC - 6 hrs

Leave a comment

Leave this field empty
Your Name
Email (not displayed, more info?)


Subcribe to this comment thread
Remember my details

Picture of me

.NET (19)
AI/Machine Learning (14)
Answers To 100 Interview Questions (10)
Bioinformatics (2)
Business (1)
C and Cplusplus (6)
cfrails (22)
ColdFusion (78)
Customer Relations (15)
Databases (3)
DRY (18)
DSLs (11)
Future Tech (5)
Games (5)
Groovy/Grails (8)
Hardware (1)
IDEs (9)
Java (38)
JavaScript (4)
Linux (2)
Lisp (1)
Mac OS (4)
Management (15)
MediaServerX (1)
Miscellany (76)
OOAD (37)
Productivity (11)
Programming (168)
Programming Quotables (9)
Rails (31)
Ruby (67)
Save Your Job (58)
scriptaGulous (4)
Software Development Process (23)
TDD (41)
TDDing xorblog (6)
Tools (5)
Web Development (8)
Windows (1)
With (1)
YAGNI (10)

Agile Manifesto & Principles
Principles Of OOD
Ruby on Rails

RSS 2.0: Full Post | Short Blurb
Subscribe by email:

Delivered by FeedBurner