Testing ColdFusion Session Cookie Acceptance

Posted May 25, 2007 at 5:45 PM

Tags: ColdFusion

Occassionally, you get random users who cannot seem to hold a session on one of your client sites. The cause of this, most often, is that that user cannot accept cookies either from any site or from the site in question. This is a hard problem to debug over the phone, so to help assuage the problem, I have created a ColdFusion page that tests to see if the user's ColdFusion session information is holding across page calls (which would indicate that their cookies are working as well).

The ColdFusion session testing template works by CFLocating back to itself several times and passing the current session's CFID and CFTOKEN values through the URL as an ID list. After several CFLocation tags, if the user's session is holding, every value in that list should be the same.

 Launch code in new window » Download code as text file »

  • <!--- Kill extra output. --->
  • <cfsilent>
  •  
  • <!---
  • Param the URL id. This ID will contain a comma
  • delimited list of the CFID / CFTOKEN values.
  • --->
  • <cfparam
  • name="URL.id"
  • type="string"
  • default=""
  • />
  •  
  •  
  • <!---
  • Check to see if the the ID list is less than 5.
  • Technically, 2 values is all we really need to
  • test the cookies, but I like to give it a few
  • extra to see if something really weird is happening.
  • --->
  • <cfif (ListLen( URL.id ) LT 5)>
  •  
  •  
  • <!---
  • Append the currrent session information
  • to the URL id list.
  • --->
  • <cfset URL.id = ListAppend(
  • URL.id,
  • "#SESSION.CFID#-#SESSION.CFTOKEN#"
  • ) />
  •  
  • <!---
  • Relocate back to this page with the updated
  • ID list.
  • --->
  • <cflocation
  • url="#CGI.script_name#?id=#URL.id#"
  • addtoken="false"
  • />
  •  
  • </cfif>
  •  
  •  
  • <!---
  • ASSERT: If we have gotten this far then we know
  • that this page has been called 5 times and that
  • we now have an ID list with 5 items containing
  • this user's session information.
  • --->
  •  
  •  
  • <!---
  • Break the ID list into an array for faster access
  • and easier notation.
  • --->
  • <cfset arrID = ListToArray( URL.id ) />
  •  
  • </cfsilent>
  •  
  •  
  • <cfoutput>
  •  
  • <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  • <html>
  • <head>
  • <title>ColdFusion Session Cookie Test</title>
  •  
  • <style type="text/css">
  •  
  • p.confirm {
  • background-color: ##F9FBFF ;
  • border: 2px solid ##6699FF ;
  • font-size: 28px ;
  • padding: 20px 0px 20px 0px ;
  • text-align: center ;
  • }
  •  
  • </style>
  • </head>
  • <body>
  •  
  • <h2>
  • ColdFusion Session Cookie Test
  • </h2>
  •  
  • <p>
  • In order for you to be able to log into
  • this site, you must have Cookies enabled in
  • your browser. If cookies are enabled, the
  • following 5 values will be identical:
  • </p>
  •  
  •  
  • <ol>
  • <!--- Loop over values and output them. --->
  • <cfloop
  • index="intI"
  • from="1"
  • to="5"
  • step="1">
  •  
  • <li>
  • #arrID[ intI ]#
  • </li>
  •  
  • </cfloop>
  • </ol>
  •  
  •  
  • <p class="confirm">
  •  
  • <strong>Cookies Accepted:</strong>
  •  
  •  
  • <!---
  • We will know that the session cookie
  • information held from request to request
  • if all the values in the list are identical.
  • Check each value against the next.
  • --->
  • #YesNoFormat(
  • (arrID[ 1 ] EQ arrID[ 2 ]) AND
  • (arrID[ 2 ] EQ arrID[ 3 ]) AND
  • (arrID[ 3 ] EQ arrID[ 4 ]) AND
  • (arrID[ 4 ] EQ arrID[ 5 ])
  • )#
  • </p>
  •  
  • <p>
  • If your cookies are not being accepted, please
  • copy and paste the contents of this page into an
  • email and send it to nikki@girls-like-girls.com.
  • </p>
  •  
  •  
  • <!---
  • Output some browser related information that
  • might help the tech team debug just what is
  • going on.
  • --->
  •  
  • <h3>
  • Browser Information
  • </h3>
  •  
  • <p>
  • <strong>User Agent:</strong><br />
  •  
  • #CGI.http_user_agent#
  • </p>
  •  
  • <p>
  • <strong>Request Cookies:</strong><br />
  •  
  • <!---
  • When outputting the browser's cookie, just
  • try to replace out references to CFIDE and
  • ADMINISTRATOR (if they are there) so people
  • don't get any funny ideas.
  • --->
  • #ToString( CGI.http_cookie ).ReplaceAll(
  • "(?i)cfide|administrator|cfadmin",
  • "temp"
  • )#
  • </p>
  •  
  • </body>
  • </html>
  •  
  • </cfoutput>

Hitting the above ColdFusion template, my browser looks like this:


  
  
  

 
ColdFusion Session Cookie Acceptance Testing Template  
 
  
  

Notice that it outputs the CFID and CFTOKEN values. All 5 values should be the same if the SESSION scope was maintained and the cookies were accepted. I assume this will not work for all login set ups, but it will work for most of mine. Additionally, I am outputting the user agent information as well as the cookies that were broadcast by the requesting browser. I figured the more information that the user can email to the tech team, the better.

Now, you have probably seen cookie testing where someone just sets a cookie value using ColdFusion's CFCookie tag and then checks to see if that variable exists in the ColdFusion COOKIE scope. This is not acceptable. CFCookie will always be able to set the value on the first go (as far as I know). What we really need to test is the round-trip journey from the server back to the browser back to the server. This is the only true way to test cookie acceptance (as far as I can see).

Download Code Snippet ZIP File

Comments (15)  |  Post Comment  |  Ask Ben  |  Permalink  |  Other Searches  |  Print Page



Adobe ColdFusion 8.0.1 Update - Helping Programmers To Be Signifanctly Less Girlie - Download ColdFusion 8 Update 8.0.1 Now.

Reader Comments

Ben:
Thanks for the excellent writeup!
Amazing timing here as I have been having strange problems lately with some of my applications...
First, I *never* in the past used URLSessionFormat() when building URLs in my session based applications and they always seemed to "just work".
Now I have been doing a bit more CFLocation and other things to move users around between different CF Applications (different application names).
I am now seeing about 1% of my users seem to have problems where their browser will not maintain session correctly. I have it happening on one of my test boxes as well... The boxes have cookies enabled... Restarting, using a different browser Firefox/IE, cleaning all cookies, reinstalling the browsers, praying... nothing seems to fix the problem. I finally decided to "fix it" by modifying my code to use the URLSessionFormat function... That didn't solve my problem.

I am actually having to put the CFID and CFToken into the URLs and links and form submissions myself. It is the only way I have been able to maintain the session on these PCs.

Ever hear of that one? I have been banging my head against the wall for a few days here...

Posted by Ken Auenson, II on May 25, 2007 at 8:55 PM


Of course...
I write all that down, and then check the CFQuickDocs link for URLSessionFormat, http://www.cfquickdocs.com/#URLSessionFormat, and I see that there is a comment from tommyviper that states "Using MX7 Ent. on IIS - disabling J2EE caused this function to ignore whether or not the client accepts cookies.".
I am on CFMX7 Standard and I have "Use J2EE session variables" turned off... Is that why the URLSessionFormat isn't working?

Sorry, I don't really know why I am asking you this exactly! lol

Thanks again for all you do for the community, Ben, and I hope you enjoy the 3 day weekend!

Posted by Ken Auenson, II on May 25, 2007 at 9:03 PM


@Ken,

To be honest, I have never used ColdFusion's URLSessionFormat(). However, if you are throwing people from one application to another application, they are going to exist in different memory spaces; as a result, I am not sure how they would even hold session information.

Of course, I have never done that, so I could be totally off base there.

Also, I am not aware of the MX7 and IIS interaction, so any comments you get off of CFQuickDocs is going to be better than any I could give you.

Now you have me curious... I need to go play around with throwing people into different apps.

Posted by Ben Nadel on May 29, 2007 at 8:17 AM


Ben:
I didn't explain that very well.
When I forward the user to a new application, I pass URL variables so that the next app can determine who the user is... usually just a hash of their userid (plus extra text), or using Encrypt/Decrypt...
So once the user gets to the new app, I can see that the first page does exactly what it is supposed to, but when they click a link, or submit a form, the session gets lost and I can absolutely veryify that the users do have cookies enabled.
It has been a nasty little pest...

Posted by Ken Auenson, II on May 29, 2007 at 9:44 AM


@Ken,

That sounds like a sticky problem. I wish I had better advice to give you, but I do not.

Posted by Ben Nadel on May 30, 2007 at 5:58 PM


Ben,
Thanks for this script. I'm using it to diagnose some problems I've been having with one of my websites.

In my case, cookies are written properly to the browser and the browser sends the cookies with the request (per IIS logs) but ColdFusion still can't read them. This results in no shopping cart, no sales, and bad rep.

This only happens intermittently but is a very big problem on such a low volume site as mine. I've detailed my problem on the CF Forums. If you have time, maybe you could take a look?

http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=1&catid=7&threadid=1308110&enterthread=y

If not, no big deal. I appreciate the time you've taken with your blog. I've been using it as a CF resource for quite some time now.
Thanks!!!
-Sam

Posted by Sam on Oct 18, 2007 at 4:21 PM


@Sam,

Your problem, and cookie problems in general are SO hard to debug especially when you can't duplicate the error in the development environment.

When you say the browser writes the cookies properly, and that ColdFusion is sending them properly, do the users pass the Cookie test page (outlined in this blog post)? Or are they still failing that one?

Posted by Ben Nadel on Oct 19, 2007 at 8:33 AM


It's really weird. The site works for most people. The few users that have a problem get my "You must enable cookies to use the site." error message because ColdFusion can't see the cookies. They swear they have cookies enabled and have even sent me screen shots of the cookies in Firefox, IE, Safari, etc.

I've checked my IIS logs and, sure enough, when the user is redirected to my error page, I can see the proper cookies exist in the http request. That is, the cookies are getting to the webserver but not ColdFusion. I've had a couple of these users hit your cookie test page... The page fails but, again, the cookies exist in the user's browser and I can see the cookies in the IIS log file.

Ugh!

I'll keep plugging away and let you know what I find.

Posted by Sam on Oct 19, 2007 at 9:25 AM


I have been "dealing" with this exact behavior for ages. You can pass cfid and cftoken on the url and even set cfid and cftoken in the cookie/session/client scopes on every page till you are blue in the face and for some users cf server simply does not use them and creates new session for every page request.

I have had users go through half an application and suddenly lose their session. From that point on no matter what they do (clear cach, cookies, etc) they will no longer be able to use the application.

In theory the server first checks the cookies and then the url scope for the id and token but even when I can display the passed values on the pages cf still creates new sessions. What gives? I have never found a solution but I know that it is a real problem for many. I have never had to deal with this on any other platform.

Posted by Kris Kadela on Oct 30, 2007 at 12:49 AM


Anyone have more to say about this? Any new discoveries since October? We're considering making our ecommerce site available to users that choose to block cookies. I'd love to get any last minute advice before trying to code this. I'll post back here what I discover myself as well.

Posted by nate on Jan 23, 2008 at 4:02 PM


I've been dealing with the issue of cookie acceptance for awhile, and I haven't been able to come up with a really good solution. I've tested setting cookies on one page and then checking for the existence of them on another, and that works, but there are usability problems with that approach.

I really appreciate the ideas in this post. It offers a creative way to check if cookies are enabled in a browser. I am, however, having issues using this method with IE 7. It seems that IE 7 will keep the cfid and cftoken values the same for each iteration even when cookies are disabled.

Is there an update to this method that will work with IE 7? Is there another method for testing cookie acceptance?

Posted by David Bode on Mar 11, 2008 at 10:48 AM


@David,

If IE 7 keeps the same CFID / CFTOKEN values, then that should mean that it is maintaining the session? I am surprised that works if cookies are disabled. Maybe it still keeps "session cookies" which will be deleted when the browser closes.

Posted by Ben Nadel on Mar 11, 2008 at 10:50 AM


Actually, what I'm finding is that IE 7 will keep the same CFID and CFTOKEN values but will not maintain the session. It's odd, I know. I will disable cookies in IE 7 and then run the code you have here and it will tell me that cookies are enabled and will show the CFID/CFTOKEN values to all be the same. But then when I try logging in on my Web site, the site will not maintain a session.

My browser is set to block all cookies, and I've looked in the Temporary Internet Files folder and the Cookies folder on my C: drive, and I don't see any cookies anywhere (although I'm not sure where to look for "session cookies").

Any ideas?

Thanks,
David

Posted by David Bode on Mar 11, 2008 at 12:53 PM


I'm sorry, I forgot to post an update to my situation (glad I subscribed to the comments here).

In my case, it turned out ColdFusion was doing exactly what it was supposed to do (Ben's script confirmed this).

The webserver was setup to host two different domains, a .com and a .co.uk. Both domains pointed to the same webroot and shared the same IIS log. It turned out that there was a JavaScript redirect during the checkout process that we didn't catch. (We inherited this app and don't use Javascript redirects so didn't think to look for it.) The .co.uk user was redirected to the .com address and the CFID/CFTOKEN values were not passed so the session was lost.

Because both domains used one IIS website, there was only one logfile and the the log didn't indicate which domain was used.

Very frustrating but I'm glad it was a coding problem and not related to browsers and/or ColdFusion.

Thanks again Ben for this great resource. Keep up the good work.
-Sam

Posted by Sam on Mar 13, 2008 at 10:33 AM


@Sam,

Glad you got it figured out :)

Posted by Ben Nadel on Mar 13, 2008 at 10:35 AM


Post Comment  |  Ask Ben


Home   |   Web Log   |   ColdFusion   |   Projects   |   Resume   |   Job Form   |   Search   |   Contact
Epicenter Consulting - Custom Software Solutions for Business Evolution HostMySite.com - The Leader In ColdFusion Hosting