Kinky Solutions : Code Viewer by Ben Nadel

Ask Ben: Hiding / Encrypting ColdFusion CFID And CFTOKEN Values
<cfcomponent>
 
	<!---
		Define the application. Notice that we have turned
		ON the session management, but we are NOT writing the
		session cookies to the browser.
	--->
	<cfset THIS.Name = "HideCFIDApp" />
	<cfset THIS.ApplicationTimeout = CreateTimeSpan( 0, 0, 5, 0 ) />
	<cfset THIS.SessionManagement = true />
	<cfset THIS.SessionTimeout = CreateTimeSpan( 0, 0, 5, 0 ) />
	<cfset THIS.SetClientCookies = false />
 
	<!--- Set page settings. --->
	<cfsetting
		showdebugoutput="false"
		/>
 
 
	<!---
		NOTE: The code we are about to run below this comment
		but BEFORE the first CFFunction tag is known as the
		pseudo constructor (technically includes the code above
		as well). This code will run as part of the
		Application.cfc initialization and will run before any
		of the other methods are evaluated. Therefore, we can
		do stuff in this code (such as turn on or affect
		session management) that will affect the way the
		application invokes the functions that succeed it.
	--->
 
 
	<!---
		Check to see if the encrypted ID is availabe in
		the cookie scope. If so, we are going to grab it and
		use it to set the current session information.
	--->
	<cfif StructKeyExists( COOKIE, "ID" )>
 
		<!--- Decrypt the values. --->
		<cfset THIS.DecryptedID = Decrypt(
			COOKIE.ID,
			"nice-butt!",
			"CFMX_COMPAT",
			"HEX"
			) />
 
		<!---
			Set the decrypted CFID and CFTOKEN values into
			the COOKIE and scope. We don't need to worry about
			storing the CFID / CFTOKEN into the SESSION scope
			because once ColdFusion hooks up the association,
			they should already be there.
 
			When storing the CFID and CFTOKEN into the cookies,
			be sure to tell the cookie that it expires right
			now so that this cookie does not get stored to the
			user's browser as a session cookie (expires when
			user closes the browser).
		--->
		<cfcookie
			name="CFID"
			value="#ListFirst( THIS.DecryptedID )#"
			expires="NOW"
			/>
 
		<cfcookie
			name="CFTOKEN"
			value="#ListRest( THIS.DecryptedID )#"
			expires="NOW"
			/>
 
	</cfif>
 
 
	<!---
		NOTE: The pseudo-constructor code is done. The functions
		below this are hooks into the application-level events.
	--->
 
 
	<cffunction
		name="OnSessionStart"
		access="public"
		returntype="void"
		output="false"
		hint="Runs when the session starts.">
 
		<!--- Define the local scope. --->
		<cfset var LOCAL = StructNew() />
 
		<!---
			Instead of writing the CFID and CFTOKEN as plain
			text cookies, we are going to write an encrypted
			ID based on both the CFID and CFTOKEN.
		--->
 
		<!---
			Create the CFID/CFTOKEN string and then encrypt it
			using the default CFMX encryption such that we end
			up with a HEX value string.
		--->
		<cfset LOCAL.EncryptedID = Encrypt(
			"#SESSION.CFID#,#SESSION.CFTOKEN#",
			"nice-butt!",
			"CFMX_COMPAT",
			"HEX"
			) />
 
		<!--- Set this encrypted cookie. --->
		<cfcookie
			name="ID"
			value="#LOCAL.EncryptedID#"
			expires="NEVER"
			/>
 
 
		<!--- Initialize some session variables. --->
		<cfset SESSION.HitCount = 0 />
 
		<!--- Return out. --->
		<cfreturn />
	</cffunction>
 
 
	<cffunction
		name="OnRequestStart"
		access="public"
		returntype="boolean"
		output="false"
		hint="Fires when a page is requested.">
 
		<!--- Define arguments. --->
		<cfargument
			name="Template"
			type="string"
			required="true"
			/>
 
		<!--- Increase the Hit count. --->
		<cfset SESSION.HitCount = (SESSION.HitCount + 1) />
 
		<!--- Return out. --->
		<cfreturn true />
	</cffunction>
 
</cfcomponent>
For Cut-and-Paste