What Is Considered Best Practice for User Tracking with ColdFusion

We have an e-commerce site and have traditionally tracked users from day to day using persistent cookies. We want to make sure we are using the most stable method possible, especially during a given user session, and we want to make sure it is secure (i.e. PCI compliant). We know we should not use sequential numbering systems for the cookies and we figure on encrypting anything we store as a cookie.

It is getting somewhat more difficult to track users, even during a session, because some of the Internet Security software suites seems to get in the way for a few users. We have users on Macs and PC's and on a wide range of operating system and browser versions.

But I think there are probably standards in the ColdFusion community about this, and we should probably re-think our methods. So what is the preferred methodology for tracking users?

We have CF9 running on Windows servers. Thanks.
Who is Participating?
Are you referring to this as your proposal?

> My simplest thought is to hash the cookie and store the hashed version in the db (in a new column) and as the user cookie.

There's two parts of this.  Which type of variable (cookie or session) and what is the value.

We agree that the value should be some hashed or encrypted value that you save in a new column of the database table.   That's good.

Now, cookie or session?  

A) If the cookie is a session cookie (no expiration date defined) then it will disappear when the browser is closed.  Otherwise it will persist indefinitely.   There is no inactivity time-out.  

B) If the cookie has a defined expiration date or "Never" the cookie will last until that expiration period even if the browser is closed.  Again, no time-out for inactivity.

C) Session variable (using jsession) will time-out with inactivity and disappear when the browser is closed.

Seems to me that you would want C, a session that times out and disappears when the browser is closed.

But choose the one that works for you based on the behaviors I've mentioned.

Bhavesh ShahLead AnalysistCommented:

I would suggest go with client variables.
This will store in your database.
And also easy to track the user information.



Whether you use session variables or client variables, your coldfusion session will still drop cookies to maintain that session.   Client variables are more like cookies, they are meant to last between sessions, which doesn't make them a great choice for tracking a user's active session.   Session variables time-out on inactivity.  Both persist until they time-out when the browser is closed.

So, one stronger method would be to use session variable in conjection with a session cookie.  The session cookie will die when the browser is closed and the session variable will timeout on inactivity after x minutes.

You don't really need to encrypt the identifier as long as it's long and not easily guessed..   Then just record it in the user's database table.  The session cookie could be a salted hash of the identifier along with a secret phrase.  If the session identifier is "stolen" they still can't access the system without the hashed cookie.

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

dwerdenAuthor Commented:
Interesting to get two different approaches. One factor I should have mentioned is that we are using clustered servers. If I understand the article linked above, that would be problematic with session variable, correct?

Also, I see the comment that client variables are good for tracking from session to session but not as good during a session. From what I read, it does sound like client variables can track a lot of activity. But primarily we need to just track the user's ID#, however, we decide to tag that in our DB. Our site has pretty healthy activity, but so far our SQL Server is never working very hard. Does that mean that we would probably be OK with client variables in that sense?

If we use client variables, would we wish to set the client storage to cookies instead to save DB traffic? Or is that less preferred?

And if we use session variables, would we set them as J2EE? A couple articles I have seen have a preference for that type. Any drawbacks?

But overall, I'm not sure I understand if client/session variables are inherently better at tracking our users. Is either method "safer" in some way? Is either more dependent?

dwerdenAuthor Commented:
I'm bumping up the points because the issue seems to be getting more complex.

Perhaps you can elaborate on what you mean by "tracking" users.  I've taken this to mean simply knowing who they are and keeping them logged-in.  Is that the scope of your tracking?   Any actual tracking of their activities and such would be done in the database or using web analytics.

If that is true, all you need is a single value that you can rely on; one that will expire when you want it to (time-out) and end when the browser is closed.   This is either a simple session-cookie or a session variable (J2EE allows memory replication between clusters).

Client variables are not the best choice for this because they persist between sessions, involve unnecessary database objects and overhead and already require some some type of session management to keep track of (so it's redundant).   Every new visitor creates a record in the datbase (even search engine spiders and visitors who bounce off your site).   Why not just create a tiny session variable or cookie?   Please note that the article from Brichsoft's post is dated 2001 and talks about Coldfusion 4.5.   A lot has changed in a decade.

dwerdenAuthor Commented:

Sorry if that was vague. Let me try a different direction.

We currently track using a cookie that is persistent. We set a normal cookie with no expiration date. For most users it does what we want. However, we lose the cookie for some folks, and I'm suspicious that some kind of security software is getting in the way. That cookie might disappear in the middle of a user's shopping session, even through we do not have a timeout set.

And there is also the fact that the cookies are sequential numbers. No credit card data is associated with the cookie or the user's profile, but we wish to change from sequential to something else.

My simplest thought is to hash the cookie and store the hashed version in the db (in a new column) and as the user cookie. That would fix the sequential issue, but would make trouble-shooting more difficult. And it may not solve the mystery of the disappearing cookies.

I am wondering if there is a best-practice ColdFusion way of doing this. Do sessions still create the CFID and CFTOKEN cookies? And if so, could this create a way for causing mischief, such as manually changing the CFID to one number higher and see what you see? We want to avoid that possibility.

Ideally we would like to mimic the stability of sites like Amazon, where they never seem to lose track of the user. Users who reported that they lose their shopping session in mid stream say they do not have the same trouble on any other site.

Does that suggest a solution?

If your cookie is to keep track of a user that includes a shopping experience, why don't you allow your cookie to expire?   The next person to sit at that computer will see the previous person's shopping cart?

It's odd that a cookie would disappear in the middle of a user's visit.  If their software is blocking it, then it would block if from the start.   Do you change subdomains in your site?  Or perhaps go from www.mydomain.com to mydomain.com (without the www)?   Do you have lose a session variable?  

There are really two ways to maintain a session ID, in the URL or in a cookie.  If a person has blocked cookies, they are having trouble at 90% of the sites they visit.  Just show them a message that they need to enable cookies.    

Getting a unique value for the session ID is not hard, as you say, you can hash some record identifier along with a secret password.   Then look it up in the database.    Not sure why that would make trouble shooting more difficult, just display the value to the screen if you need it.  

Sessions still use CFID/CFTOKEN unless they are the Jsession ones which use only one variable, but in the same way as the other two.  They values are not sequencial and cannot be easily guessed.  Coldfusion has been around for many years and this is not a security problem.

Create a session variable (using jsession) with the hash or encryption method

dwerdenAuthor Commented:

Just to clarify, when you say, "Create a session variable (using jsession) with the hash or encryption method" do you mean to do what I proposed above, or are you suggesting something different?

dwerdenAuthor Commented:
Thanks for the clarification! I think I have a good perspective now, which is what I was seeking.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.