I've created a web application with this script surrounding common cfqueries and my navbar code.
<cfcache action="clientcache" timespan="#createtimespan(0,1,0,0)#">
On the signout page, I was using <cfset StructClear(Session)> to clear session data. I want to also clear the cache and was using <cfcache action="flush">.
However, something is off and the session isn't clearing and clients aren't able to sign out of the application. When I remove the cfcache tag, clients are able to log out but the system moves incredibly slow.
How do I get this working correctly with the cfcache tag? Thanks in advance.
Clearing the session scope does not end the session, it just clears variables in the session scope. The session scope is something that's availed to a session, but it doesn't actually represent the session itself.
You probably want to use sessionInvalidate() to invalidate the session. I have not tested this in conjuction with session-based caching, but presume it rotates the CFID and CFTOKEN cookies, so that should do the trick with any client stuff. Pay attention to the docs saying it only works with CF sessions, not J2EE ones. This might or might not be a consideration for you.
Related
ASP.NET Core 2.1
I think this gets set automatically. How do I prevent that?
Just came across the same issue. My 100% cookie-free website had a cookie, created by ASP.NET Core.
As #mark-g pointed out in his comment, it is mainly added to support GDPR: Let users of your web page opt-in/out for the allowance to collect and keep data about them.
In all usual cases I'd recommend to go this route as designed by Microsoft. Keep the ASP.NET cookie and make use of the _CookieConsentPartial.cshtml for all personal data you might want to keep about the users.
In my special case, I have a very simple web page. No data is collected, also not from any third parties. I dont need the cookie consent and the ASP.NET cookie. In this case, can remove this cookie just by commenting out one line:
In Startup.cs comment out the line:
// app.UseCookiePolicy(); No cookies used at all!
Then clear all caches and remove the cookie, reload the page and it is gone.
I need to track unregistered users in my Django website. This is for conversion optimization purposes (e.g. registration funnel, etc).
A method I've used so far is using IP address as a proxy for user_id. For various well-known reasons, this has led to fudged/unreliable results.
Can I sufficiently solve my problem via setting a session variable at server-side? An illustrative example would be great.
For example, currently I have a couple of ways in my head. One is doing request.session["temp_id"] = random.randint(1,1000000), and then tracking based on temp_id.
Another is setting a session variable every time an unauthorized user hits my web app's landing page, like so:
if not request.session.exists(request.session.session_key):
request.session.create()
From here on, I'll simply track them via request.session.session_key. Would this be a sound strategy? What major edge-cases (if any) do I need to be aware of?
Cookies are the simplest approach, but take into consideration that some users can have cookies turned off in their browsers.
So for those users you can use javascript local storage to set some data. This information will get deleted once you close the browser, but it's ok for funneling purposes. Still others can have javascript turned off.
Another approach would be to put custom data(key) in every link of the page when generating the template. in other words you would have the session_id stored in html page and send through url parameters at click. Something similar happens with csrf token. Look into that.
I work for an e-commerce site. Part of what we do is to offer customized items to some clients. Recently some non-technical management promised that we could incorporate our check-out process into one such client's website. The only way we've figured out how to do this is by using an iframe (I know, I don't like it either). The issue is that most customers of this site are unable to check out because we use cookies to determine which custom items to display. Browsers are recognizing our cookies as third party and almost everybody has third party cookies turned off, as they should. I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Try an invisible, interstitial page.
Essentially the hosting site would issue a redirect to a site within your domain, which is then free to set cookies (because at this point is is actually the first party). Then your site immediately redirects back to the hosting site. At this point your newly-created cookies will be invisible to the hosting site but visible to your iFramed page henceforth.
Unfortunately the hosting site will have to do this every time a cookie is to be updated but the double-redirect can happen so quickly they'll hardly notice. Hopefully your system only needs the cookies to be set once.
Instead of using a cookie, pass the information in the each url request as name/value pairs.
It is a bit of a pain to add the name/value to every url...I know...oh well...it will work.
I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Your iframed page itself, which is the third party in this scenario, could send a P3P Cookie Policy header – some browsers then accept third-party cookies by default, whereas others (mainly Safari) will not be convinced to do so at all if not by the user manipulating the default settings themselves.
What you could also do, is pass the session id not (only) by cookie, but as a GET or POST parameter as well – f.e. under PHP this can be done quite easily by configuring the session options. You should consider if that’s worth the slightly increased risk of session stealing.
The interstitial page solution should work but it might be a lot of trouble for your hosting site, so here's another solution that will allow you to work cookieless.
Write an HttpModule that responds to the BeginRequest event, reads the querystring, and inserts corresponding cookie headers into the Context.HttpRequest object (Note: you can't use AddCookie, you have to use AddHeader, because cookies added by a module directly are disposed of before they hit your application proper). That way the hosting site can simply issue a request (within the iFrame) that contains the necessary value in the querystring, the module will convert it into a cookie (that only exists in memory, not on the wire), and your application will be deceived into thinking that there's a cookie there. No code changes required, you just need to add the module in web.config.
This only works if you are using IIS 7.0+ in integrated pipeline mode. If you're on an earlier version of IIS or if you have to run in classic mode, you'll need an ISAPI filter instead.
Ryan , John
For the Chrome v80 update with SameSite flags, want to set the samesite=none;secure for the site hosting our iframe and somehow supply the necessary samesite=none;secure cookie. We have apache 2.2 and tomcat 6 setup, so would appreciate a solution and advice on how to make it work. Currently with flag enabled the iFrame is not punching out successfully.
Thanks
I've read all the other q's here regarding the topic but couldn't solve my problem.
I'm setting on my website the email of the user in the localStorage and i want to retrieve it in the extension.
localStorage.setItem("user", "andrei.br92#gmail.com" );
But when i try to receive it with the chrome extension it fails to do so
value = localStorage.getItem("user");
Which way is easier ? cookies localstorage ? im not pretentious
Please see this:
http://code.google.com/chrome/extensions/content_scripts.html#host-page-communication
Content scripts are run in a separate JavaScript world, which means the content script's localStorage is different from the website's localStorage. The only thing the two share is the DOM, so you'll need to use DOM nodes/events to communicate.
Use chrome.storage.local instead of localstorage. Content scripts using chrome.storage see the same thing that the extension page sees. More at https://developer.chrome.com/extensions/storage.html
Please see the information on Chrome content scripts. I'm betting you fell into the same initial trap that I did -- trying to read localStorage from an page-injected script, yes?
You do not want to use cookies when localstorage can do. That is because
Cookies can be accessed/modified through background page only.
Cookies are stored in context of a url/domain and not extension. So you will have to store a cookie for every domain that you wish to operate upon.
With every HttpRequest all the cookies associated with corresponding url/domain gets transmitted to server, so in effect you will be adding overhead to user's requests.)
I have a internal website that users log into. This data is saved as a cookie. From there the users go on their merry way. Every so often the application(s) will query the authentication record to determine what permissions the user has.
My question is this: Is it more efficent to just query the cookie for the user data when it is needed or to save the user information in viewstate?
[Edit] As mentioned below, Session is also an option.
Viewstate is specific to the page they are viewing, so its gone once they go along thier merry way. Not a good way to persist data.
Your best bet is to use Forms Authentication, its built in to ASP.NET and you can also shove any user-specific information into the Forms Authentication Ticket's Value. You can get 4000 bytes in (after encrypting) there that should hold whatever you need. It will also take care of allowing and denying users access to pages on the site, and you can set it to expire whenever you need.
Storing in the session is a no-no because it scales VERY poorly (eats up resources on the server), and it can be annoying to users with multiple browser connections to the same server. It is sometimes unavoidable, but you should take great pains to avoid it if you can.
Personally, I prefer using a session to store things, although the other developers here seem to think that's a no-no.
There is one caveat: You may want to store the user's IP in the session and compare it to the user's current IP to help avoid session hijacking. Possibly someone else here has a better idea on how to prevent session hijacking.
You can use session data - that way you know that once you have stored it there, users can't fool around with it by changing the query string.
I would use the cookie method. Session is okay but gets disposed by asp.net on recompile, and you have to use a non session cookie if you want to persist it after session anyway. Also if you ever use a stateserver its essentially doing the same thing (stores session in the db). Session is like a quick and dirty fix, real men use cookies.