Coldfusion sessions - how exactly is CF identifying a connection / unique client

Question

Coldfusion sessions - how exactly is CF identifying a connection / unique client

After doing some digging with remote CFCs I called from Word VBA I found they set sessions also. Which got me to thinking and Googling (unsuccessfully) for an explanation of just how CF does distinguish between different clients. I had previously assumed it was a browser cookie being set to identify the client, but then here I was consuming a web service through a word app and still getting the session variables and sessionID set.

So if I load and login to my app via browser (chrome) and hit a test page I get jsessionID = 123,If I fire up firefox and login I get a different jsessionid = 234 as expected. If I hit a remote cfc as a web service wsdl using Word VBA I can see jsessionid=345 returned to the VBA module. If I close Word and reopen my macro (containing a login request to the web service) I get a new jsessionID=567

So what is it about the request that CF is identifying and how does it persist the identification of the client?

This is the same issue in a VBA http call

 Sub doHTTP()

Dim MyRequest As Object
Dim Val
httpString = "http://localhost:8888/test.cfm"

Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")

MyRequest.Open "GET", httpString

' Send Request.
MyRequest.Send

MsgBox MyRequest.ResponseText

'now pass in the session urltoken we have just retreived

MyRequest.Open "GET", httpString & "?urltoken=" & MyRequest.ResponseText

' resend a request, this time with the urltoken.
MyRequest.Send

'take a look and see if the session variables are correct
MsgBox MyRequest.ResponseText

End Sub

in a test.cfm

<cfif isdefined("URL.urltoken")>
    <cfset session.urltoken="#URL.urltoken#">
  <cfelse>
    <cfset session.username="bob">
</cfif>


<cfoutput>session.urltoken="#session.urltoken#"</cfoutput><br>
<cfoutput>session.username="#session.username#"</cfoutput><br>
<cfoutput>session.sessionID="#session.sessionID#"</cfoutput>

OK that now works, interesting, I will need to remember for web service or http calls not using a browser I will need to pass the sessionID in the URL manually.

Answer 1

Definitely session maintained based on browser cookie. On first request from browser server assign token and this will used to make session connection in rest of the request. If browser cookies are disabled then you may need it pass CFID and CFTOKEN in URL for every request and in case of j2ee session management you may need to pass jsessionId as well (best way is to append session.URLToken in every request.)

In word macro you get new jsessionId because word may not have cookie and not able to persist connection but just try to concat session.URLToken in next Webservice call and you will get all your session back even after reopening word or even you can try copy session.URLToken from chrome browser request and append it in firefox request and you will get same session available in Chrome (same thing will work if you trying from different computer as well).

So moral of story is combination of CFID,CFTOKEN,JSessionId(in case of J2ee session management) use for connection between client and server either through URL or Cookie.