[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


What Is Considered Best Practice for User Tracking with ColdFusion

Posted on 2010-09-15
Medium Priority
Last Modified: 2012-05-10
We have an e-commerce site and have traditionally tracked users from day to day using persistent cookies. We want to make sure we are using the most stable method possible, especially during a given user session, and we want to make sure it is secure (i.e. PCI compliant). We know we should not use sequential numbering systems for the cookies and we figure on encrypting anything we store as a cookie.

It is getting somewhat more difficult to track users, even during a session, because some of the Internet Security software suites seems to get in the way for a few users. We have users on Macs and PC's and on a wide range of operating system and browser versions.

But I think there are probably standards in the ColdFusion community about this, and we should probably re-think our methods. So what is the preferred methodology for tracking users?

We have CF9 running on Windows servers. Thanks.
Question by:dwerden
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 19

Expert Comment

by:Bhavesh Shah
ID: 33683225

I would suggest go with client variables.
This will store in your database.
And also easy to track the user information.


LVL 39

Expert Comment

ID: 33683605

Whether you use session variables or client variables, your coldfusion session will still drop cookies to maintain that session.   Client variables are more like cookies, they are meant to last between sessions, which doesn't make them a great choice for tracking a user's active session.   Session variables time-out on inactivity.  Both persist until they time-out when the browser is closed.

So, one stronger method would be to use session variable in conjection with a session cookie.  The session cookie will die when the browser is closed and the session variable will timeout on inactivity after x minutes.

You don't really need to encrypt the identifier as long as it's long and not easily guessed..   Then just record it in the user's database table.  The session cookie could be a salted hash of the identifier along with a secret phrase.  If the session identifier is "stolen" they still can't access the system without the hashed cookie.


Author Comment

ID: 33684373
Interesting to get two different approaches. One factor I should have mentioned is that we are using clustered servers. If I understand the article linked above, that would be problematic with session variable, correct?

Also, I see the comment that client variables are good for tracking from session to session but not as good during a session. From what I read, it does sound like client variables can track a lot of activity. But primarily we need to just track the user's ID#, however, we decide to tag that in our DB. Our site has pretty healthy activity, but so far our SQL Server is never working very hard. Does that mean that we would probably be OK with client variables in that sense?

If we use client variables, would we wish to set the client storage to cookies instead to save DB traffic? Or is that less preferred?

And if we use session variables, would we set them as J2EE? A couple articles I have seen have a preference for that type. Any drawbacks?

But overall, I'm not sure I understand if client/session variables are inherently better at tracking our users. Is either method "safer" in some way? Is either more dependent?

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control


Author Comment

ID: 33716514
I'm bumping up the points because the issue seems to be getting more complex.
LVL 39

Expert Comment

ID: 33716836

Perhaps you can elaborate on what you mean by "tracking" users.  I've taken this to mean simply knowing who they are and keeping them logged-in.  Is that the scope of your tracking?   Any actual tracking of their activities and such would be done in the database or using web analytics.

If that is true, all you need is a single value that you can rely on; one that will expire when you want it to (time-out) and end when the browser is closed.   This is either a simple session-cookie or a session variable (J2EE allows memory replication between clusters).

Client variables are not the best choice for this because they persist between sessions, involve unnecessary database objects and overhead and already require some some type of session management to keep track of (so it's redundant).   Every new visitor creates a record in the datbase (even search engine spiders and visitors who bounce off your site).   Why not just create a tiny session variable or cookie?   Please note that the article from Brichsoft's post is dated 2001 and talks about Coldfusion 4.5.   A lot has changed in a decade.


Author Comment

ID: 33716935

Sorry if that was vague. Let me try a different direction.

We currently track using a cookie that is persistent. We set a normal cookie with no expiration date. For most users it does what we want. However, we lose the cookie for some folks, and I'm suspicious that some kind of security software is getting in the way. That cookie might disappear in the middle of a user's shopping session, even through we do not have a timeout set.

And there is also the fact that the cookies are sequential numbers. No credit card data is associated with the cookie or the user's profile, but we wish to change from sequential to something else.

My simplest thought is to hash the cookie and store the hashed version in the db (in a new column) and as the user cookie. That would fix the sequential issue, but would make trouble-shooting more difficult. And it may not solve the mystery of the disappearing cookies.

I am wondering if there is a best-practice ColdFusion way of doing this. Do sessions still create the CFID and CFTOKEN cookies? And if so, could this create a way for causing mischief, such as manually changing the CFID to one number higher and see what you see? We want to avoid that possibility.

Ideally we would like to mimic the stability of sites like Amazon, where they never seem to lose track of the user. Users who reported that they lose their shopping session in mid stream say they do not have the same trouble on any other site.

Does that suggest a solution?
LVL 39

Expert Comment

ID: 33717133

If your cookie is to keep track of a user that includes a shopping experience, why don't you allow your cookie to expire?   The next person to sit at that computer will see the previous person's shopping cart?

It's odd that a cookie would disappear in the middle of a user's visit.  If their software is blocking it, then it would block if from the start.   Do you change subdomains in your site?  Or perhaps go from www.mydomain.com to mydomain.com (without the www)?   Do you have lose a session variable?  

There are really two ways to maintain a session ID, in the URL or in a cookie.  If a person has blocked cookies, they are having trouble at 90% of the sites they visit.  Just show them a message that they need to enable cookies.    

Getting a unique value for the session ID is not hard, as you say, you can hash some record identifier along with a secret password.   Then look it up in the database.    Not sure why that would make trouble shooting more difficult, just display the value to the screen if you need it.  

Sessions still use CFID/CFTOKEN unless they are the Jsession ones which use only one variable, but in the same way as the other two.  They values are not sequencial and cannot be easily guessed.  Coldfusion has been around for many years and this is not a security problem.

Create a session variable (using jsession) with the hash or encryption method


Author Comment

ID: 33717177

Just to clarify, when you say, "Create a session variable (using jsession) with the hash or encryption method" do you mean to do what I proposed above, or are you suggesting something different?

LVL 39

Accepted Solution

gdemaria earned 2000 total points
ID: 33717293
Are you referring to this as your proposal?

> My simplest thought is to hash the cookie and store the hashed version in the db (in a new column) and as the user cookie.

There's two parts of this.  Which type of variable (cookie or session) and what is the value.

We agree that the value should be some hashed or encrypted value that you save in a new column of the database table.   That's good.

Now, cookie or session?  

A) If the cookie is a session cookie (no expiration date defined) then it will disappear when the browser is closed.  Otherwise it will persist indefinitely.   There is no inactivity time-out.  

B) If the cookie has a defined expiration date or "Never" the cookie will last until that expiration period even if the browser is closed.  Again, no time-out for inactivity.

C) Session variable (using jsession) will time-out with inactivity and disappear when the browser is closed.

Seems to me that you would want C, a session that times out and disappears when the browser is closed.

But choose the one that works for you based on the behaviors I've mentioned.


Author Closing Comment

ID: 33717387
Thanks for the clarification! I think I have a good perspective now, which is what I was seeking.

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question