Inside Coldfusion MX
We are all familiar with the use of cookies within web sites and web applications. They are used for tasks such as identifying users when they return to use your application. In fact, a simple bug-reporting application that we recently wrote uses a cookie to remember the test user's email address and to prefill part of the login form. Cookies are not unique to ColdFusion applications. Cookies have been around for a long time and were first introduced by Netscape for use in their Navigator web browser. Since then, not much has changed about cookies, but their integration into web browser software is all but universal. Understanding Cookies
As we begin our discussion of the use of cookies within web applications, we should first dispel a few of the myths regarding the use of cookies. You probably remember several years ago, during the height of the cookie scare, that everyone and his brother were upset about the evil cookies that had been placed on their computers and that were exporting vital information about them and the contents of their hard drive. Many people flat-out refused to accept cookies. Some still do. Well, cookies are not the gremlins that they were made out to be. They are neat little variables that we can create and store on the client computer to help streamline the experience of our application's users. They are not dangerous. They can, however, if used improperly, expose guarded information to potential attack. Cookies are variables that are stored on a client computer. They can store values as strings. They are sent to the server with every page request. They are read-only by the domain that set them and are available to every requested page within that domain. You can, however, specify individual pages where the cookie is available. Cookies exist on the client machine as simple text strings. For that reason, information such as passwords and credit card numbers should never be stored in a cookie. Using Cookies
Cookies can be set and read by ColdFusion. ColdFusion uses the CFCOOKIE tag to create cookies. The CFCOOKIE tag generally look like this: <cfcookie name="Email" value="neil@codesweeper.com"> The only required attribute of the CFCOOKIE tag is the name attribute. Before you decide to use cookies in your application, keep the following things in mind:
Let's work this into a bit of code that we mentioned earlier: the bug-tracking application login. I use a CFIF statement to test for the existence of a cookie on the client machine and, if present, prefill the email text input in the form: <!------------- Template: Login.cfm Author: Neil Ross (neil@codesweeper.com) Date: 03/01/2002 Sample login page with cookie evaluation to pre-fill the user email address. --------------> <form name="loginform" action="authenticate.cfm" method="post"> <table> <tr> <td colspan="2">Please provide your email address and password below.</td> </tr> <tr> <td>Email: </td> <td> <input name="email" type="text" value="<cfif IsDefined("cookie.email")><cfoutput>#cookie.email#</cfoutput></cfif>"> </td> </tr> <tr> <td>Password: </td> <td><input name="password" type="password"></td> </tr> <tr> <td colspan="2"><input type="submit" value="Log In"></td> </tr> </table> </form> Let's look at how we can make use of cookies on the authentication page: <!------------- Template: Authenticate.cfm Author: Neil Ross (neil@codesweeper.com) Date: 03/01/2002 Sample login authentication page which sets a cookie with a value of the user's email address. --------------> <cfif IsDefined("form.email") AND form.email IS NOT "" AND IsDefined("form.password") AND form.password is not ""> <cfquery name="AuthenticateUser" datasource=request.dsn> SELECT UserID FROM Users WHERE Email = '#form.email#' AND Password = '#form.password#' </cfquery> <cfif AuthenticateUser.RecordCount IS 1> <cfcookie name="Email" value="#form.email#"> Thanks for visiting, click <a href="http://index.cfm">here</a> to go to the home page. <cfelse> Your username or password is incorrect. Please click <a href="login.cfm">here</a> to try to log in again. </cfif> </cfif> We don't like to leave the user on this page and we've discussed the fact that you cannot execute a CFLOCATION tag in the same template that you set a cookie, so you can employ a bit of JavaScript to relocate the document. Try this: <script language="JavaScript"> document.location = "http://index.cfm"; </script> We could also use the CFHEADER tag to accomplish the same thing: <cfset variables.redirectURL="http://index.cfm"> <cfheader statuscode="302" statustext="Object Moved"> <cfheader name="location" value="#variables.redirectURL#"> Treat cookies just like any other variable when you evaluate them. Remember that cookies are stored on the client machine, not in your server memory; so when you access a cookie value, you do not need to use the CFLOCK tag. |