ColdFusion Session Best Practices


#1

Handling Bots and Spiders

The problem with bots and ColdFusion sessions is this; for most bots, a new session is created for each and every page on your site that they crawl. This can result in hundreds or thousands of lingering sessions that aren’t being used. This behavior results in what I usually refer to as a “session leak”. A session leak will frequently lead to a pseudo memory leak in the Java heap space. This problem is made worse if you have a larger session than normal. See the “Session Size” section below for more info.

To mitigate the session leak problem with bots, we strongly recommend that you give bots very short session timeouts. Ideally, the session timeout for a bot should only live for the lifetime of the single request that they make. This can be accomplished by reviewing user agent info or by looking at cookie information in ColdFusion. You should consult with an experienced ColdFusion developer to understand the right implementation for your application. Below is an example implementation for your reference.

If using Application.cfm
Place this code at the top of your Application.cfm file:

<!--- This checks if a cookie is created, for bots this will return false and use the low session timeout --->
<cfif StructKeyExists(cookie, "cfid") or StructKeyExists(cookie, "jsessionid")>
 <cfset REQUEST.sessionTimeout = CreateTimeSpan(0,0,30,0) />
<cfelse>
 <cfset REQUEST.sessionTimeout = CreateTimeSpan(0,0,0,2) />
</cfif>

Then use the REQUEST.sessionTimeout variable to specify the session timeout period in your cfapplication tag:

<cfapplication name="myawesomeapp"
     sessionmanagement="Yes"
     sessiontimeout="#REQUEST.sessionTimeout#">

If using Application.cfc (tag-based)
If you primarily use cfml tags in your Application.cfc, you can set the Session Timeout like this:

<!--- This checks if a cookie is created, for bots this will return false and use the low session timeout --->
<cfif StructKeyExists(cookie, "cfid") or StructKeyExists(cookie, "jsessionid")>
 <cfset this.sessiontimeout = CreateTimeSpan(0,0,30,0) />
 <cfelse>
 <cfset this.sessiontimeout = CreateTimeSpan(0,0,0,2) />
</cfif>

Session Size

An average session size is about 14KB, and we recommend that a reasonable upper limit should be around 100KB. However, if you design and plan your application and memory requirements carefully, then you may find that you can safely use a much larger session. If you do use larger sessions in your application, then it becomes increasingly critical to ensure you’re handing out sessions responsibly. See the above section on spiders and bots for reference.