I've inherited a ColdFusion site, despite no background in CF, but have been tasked with making a change to the behavior of the site. I'm running into a problem with cookies, though.
A site on another domain is linking to this site and includes a query string. Now I'm checking for that value (a zip code) in the index.cfm file and storing it in the cookie and that seems to be working fine. I looped through the cookie collection and dumped the results, and the zip code was there. So at this point, all is well.
But then the user clicks on a button, which reloads the index.cfm file with a different <include>, and the cookie no longer has any values other than CFID and CFTOKEN. This was confirmed by looping through the cookie collection, and later by Fiddler.
Client storage is set to cookie, and I can't find anywhere in the index.cfm, application.cfm, or the included files where the cookie is being set to expire.
Here's the line that's storing the value:
<cfcookie name="ZC_Zip" value="#ZC.ZC_Zip#" expires="NEVER">
What else should I be looking for to figure this out? It's ColdFusion 5, if that helps.
Cookies without a set expiration are set to a default of expiring at session close. Could this reload be resetting the session of the user?
Related
Each time I execute home page of ecommerce website, some cookies appear in request header some of them have unique values each time we hit Home request which is ai_user & ai_session. I want to know how do I get those unique values in JMeter for each time I hit home request.
I recorded test script by blaze meter and it automatically recorded all cookies in HTTP CookieManager as a user defined cookies but those values are hard coded I want them dynamic as it works in browser.
I already Change the property CookieManager.save.cookies=true in jmeter properties file.Jmeter.properties file is located in JMeter’s bin folder and use variable ${COOKIE_ai_user} in script to use cookie value.
But issue is its value is static I want to make it dynamic, how can I do that?
Each time I execute home page of ecommerce website, some cookies appear in request header
No, it doesn't work that way.
When you open the page first time the browser gets cookies from Set-Cookie header
When you open the page next time the browser sends cookies as Cookie header
So the situation when you're sending cookies at the very first request is highly unlikely to happen (unless you're simulating a returning user)
It's sufficient to add HTTP Cookie Manager which simulates browser's cookie storage and automatically handles incoming cookies.
I'm setting a cookie in a response from my web service. The set-cookie header is coming through, and I can see the cookie in the network tab in Chrome, but the cookie isn't being stored. It doesn't show up in the resources->cookies tab, and the cookie isn't sent with subsequent requests. Nothing shows up in the JS console. I've also tried leaving the domain field off the cookie, but it still isn't stored.
Is there a way to debug the browser to understand why the cookie was rejected from being stored?
Turns out it had to do with the way I was making the request. I expected fetch() to work the same way as XHR requests. Setting credentials: 'include' on my fetch call resolved the problem. See 5.6.14 of the fetch spec
I need to maintain a variable in persistent scope, that is until user session is active. Problem is application does not allow session management and it is not possible to change that.
I want to display a message to the user only once in logged in session. What are my options except session and if possible except using DB.
This is a very long comment. It won't answer the question but it might give the questioner some ideas.
I wrote and still maintain a ColdFusion application that has sesssion management set to false. This app displays html content inside a desktop application - not a web browser. Security is handled by the desktop application. If you can log into that application and are the appropriate type of user, you can access the html content.
On the ColdFusion side, the possibility of someone discovering the url and trying to access the site with a web browser must be handled. That's done with data. The desktop application puts a UUID into a database and sends it as a url variable. ColdFusion checks to see if the UUID exists and is sufficiently recent. If that check fails, the user is sent to a "shame on you for trying" page. This is done in the onRequestStart method of Application.cfc
Other relevent variables are sent to ColdFusion from the same database record as the UUID, but they could conceivably also be url variables. The onRequestStart method copies these variables to the request scope which is used in the other ColdFusion pages.
you can set a session cookie using cfcookie that doesn't use the expires attribute. This would cause the cookie to expire when the user closes the browser. Your cookie would indicate whether or not the message has been displayed.
<cfif structkeyexists(cookie, "message_displayed") eq false>
<cfcookie name="message_displayed" value="true"/>
<p>Your Message Here</p>
</cfif>
How long can I use a session cookie? I have a client application where I authenticated to a SharePoint site and I am using the cookies for navigating through the subsites. I am saving the cookie and reusing the headers to login to the site at a later point without authenticating again. There is no expiration date set. How long will the cookie last and when should I authenticate back again?
The expiration of session cookies varies from browser to browser. I was unable to find any kind of reference giving the current specifics per browser. It used to be that session cookies would be destroyed when the browser was closed, but some browsers now have settings that, if enabled, will cause session cookies to persist past the browser being closed. For example, Firefox's "When Firefox starts: Show my windows and tabs from last time" will cause this to happen, somewhat surprisingly. The same goes for, "On startup: Continue where I left off" in Chrome.
I don't really care for SharePoint so I haven't used it in a while, but as I recall it uses ASP.Net Forms Authentication, pulling the configuration from the web.config just like any other ASP.Net site. That being said, you're not really concerned with the timeout of your cookie. What you care about is the timeout of your server-side session token - that is to say, how long the data contained in said cookie will be recognized by the server. That is set by the timeout property in the forms tag of the web.config file for an ASP.Net app:
<system.web>
<!-- ... -->
<authentication mode="Forms">
<forms timeout="2880" />
</authentication>
<!-- ... -->
</system.web>
If there's no expire it's going to be around until the browser is killed. Normally in ASP.Net the session cookies are set with a 20 minute timeout. That's usually pretty good. Depending on your app, you may want a javascript timer as well. Otherwise the browser won't understand when it's logged out until a page refresh happens and sensitive data can be exposed. You'll see this implementation on any online banking site.
(Edit to clarify from downvote)
Session cookies do, in fact, stay around until the browser is closed. You can look it up here: http://www.allaboutcookies.org/cookies/cookies-the-same.html
The above answer is also correct in that some newer browsers will recover session cookies after a crash/close.
#Grinn, you do bring up a good point able the Ticket. When using ASP.Net Forms auth, an encrypted Ticket is placed within the session cookie. They cookie can still be in place as far as the browser is concerned, but if the datestamp inside the ticket is expired, it will be considered invalid.
If you're using some semblance of Forms auth with Sharepoint, you should probably just write your own membership provider that can crack the Ticket in the cookie, but disregard if the datestamp is expired. Building Custom Membership Provider
I'm having trouble with cookies on my site's registration form.
When a user creates an account, PHP sets one cookie with their user id, and one cookie with a hash containing their user agent and a few other things. Both of these cookies are set to expire in an hour.
This is the code that sets the cookie after creating your account
$registerHash = hash( "sha512", $_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_HOST'] . $_SERVER['DOCUMENT_ROOT'] );
setcookie("register_user_id", $newUserID, time() + 7200, "/");
setcookie("register_hash", $registerHash, time() + 7200, "/");
The next page is a confirmation page which sends an email and then optionally lets the user go on to fill out more account information. If the user goes on to fill out more, it uses the cookie to know what account to save it to. It works correctly in Firefox and IE, but in Chrome the cookie is forgotten as soon as you go to the next page. The cookie simply doesn't exist.
You can see the problem here:
http://crewinyourcode.com/register/paid/
If you use Chrome, you will get a registration timeout error as soon as you try to advance past the confirmation page. However on Firefox it works fine.
It turns out this actually was a problem of the files being in different directories, despite my cookie being set for "/", and it was forgetting across multiple. I solved it by moving all the files into the same place.