What is a Coldfusion Session?

views:

181

answers:

+2 Q:

What is a Coldfusion Session?

I've used Coldfusion sessions for quite a while, so I know how they are used, but now I need to know how they work, so that I can plan for scaling my website.

Is a Coldfusion user 'session' simply a quick method to setup 2 cookies (CFTOKEN and CFID) and an associated server side memory structure? (the SESSION scope) Does it do anything else? I'm trying to identify the overhead associated with user sessions versus other methods such as cookies.

+5 A:

Your understanding of them is basically correct. Although they are not bound to the cookies. The cookies are a recording of a token. That token can get passed in the url string if cookies are not enabled in the browser.

There are 2 main advantages I see of saving things in session instead of cookies:

You control the session scope. People can't edit the data in the session scope without you providing them an interface. Cookies can be modified by the client.
Complex data like structures, arrays, objects, network sessions (FTP, exchange) can be stored there.

Their memory overhead is "low" but that's a relative term. Use the ColdFusion Admin Server Monitor to drill into how much memory your sessions are actually using.

Terry Ryan 2009-12-11 19:09:39

While the session scope can't be directly affected by the client, can't they be spoofed if the cookies are modified?

Dan Sorensen 2009-12-11 20:05:18

Yes that is true Dan. The session can be spoofed. That's harder to do with J2EE sessions, which you can enable through the administrator. But my point was that a user can't directly muck with a session. Even if they spoofed, they could still only manipulate what the application lets them manipulate, as opposed to cookies, which the user can manipulate completely.

Terry Ryan 2009-12-14 19:35:55

+2 A:

First of all, Session is scope: secure and efficient way to keep current user attributes like permissions or preferences. Not sure what do you mean under "other methods", but I doubt that you'll be able to keep complex data structures (query,object,array) in cookies.

Second, application server provides you with really handy event handlers specially for sessions: onSessionStart() and onSessionEnd().

Third, sessions can be pretty easily shared and clustered: between CF applications or between CF and J2EE.

Sergii 2009-12-11 19:10:47

Other methods such as data stored in the cookie or in a database and tied to a cookie. I'm not tracking much for this app. The session scope makes the most sense unless it's overhead turns out to be greater than some other method.

Dan Sorensen 2009-12-11 20:04:18

+1 A:

Sessions are per-user memory space assigned within a particular application space within the jvm memory. The two cookies are pointers to (the token of) that memory space. Yes, there are overhead of using session (RAM, swap space, etc), but unless you're shoving mass amount of data inside the session scope, it shouldn't be that bad.

webRat 2009-12-11 19:11:06

One aspect of sessions not mentioned is that they have a lifetime: by default 20 minutes (of inactivity). This lifetime can be set by application, but can never be more than the limit set in ColdFusion Administrator.

If memory usage is a concern the time limit could be reduced, although there's still much that depends on the Java garbage collection.

Al Everett 2009-12-11 19:57:02

Good point about session lifetime affects on memory.

Dan Sorensen 2009-12-11 20:00:52

ansaurus

tags:

views:

answers:

What is a Coldfusion Session?

related questions