Setting Session variables on a CFML template that uses thecflocation tag may prevent session variables from being set. This article describes several causes for this behavior and several workarounds for the problem.
Developers who use session variables may find that some customers on their web site experience "lost sessions." When this occurs, the page generates an error message similar to the following:
An error occurred while evaluating the expression: #session.var1# Error resolving parameter SESSION.VAR1 The session variable VAR1 does not exist.
This error can be caused by one of the following:
- Your session variables are not properly locked with thecflock tag.
For more information on locking, refer to ColdFusion Locking Best Practices.
- You are setting session variables on the same CFML template where you are using the cflocation tag.
Note: In this instance, some customers can browse your web site with no error message, while other customers experience the error message (as shown above). The key difference between those who receive these errors and those who do not depends on whether the user has visited another page in your web site where a CFID or CFToken cookie was assigned to him/her.
The scenarios below illustrate the error.
A new user visits your web site and requests her first page, Firstpage.cfm. Firstpage.cfm sets a session variable and then uses the cflocation tag, as follows:
<cflock TYPE="EXCLUSIVE" SCOPE="SESSION"><cfset session.var1 = "Bob"></cflock><CFLOCATION URL="http://mysite.com/secondpage.cfm" ADDTOKEN="No">
The error occurs because the CFID/CFToken cookies are not passed to the browser. Instead, the cflocation tag redirects the request to a new page (for this example, it redirects to a page called secondpage.cfm).
Important note: Cookies are not passed between server side redirections--in this case by using the cflocation tag. Cookies are passed either from the browser to the webserver to the ColdFusion Server, or when they are first set, from the ColdFusion Server to the webserver to the browser.
Before secondpage.cfm processes, however, Application.cfm processes again. Since the CFID/CFToken cookies never made it to the browser, they are not part of the request for secondpage.cfm.
Therefore, when the cfapplication tag is processed (for the second time), it assigns a new CFID/CFToken to the request. This new CFID/CFToken is not associated with the initial session variable set in Firstpage.cfm.
Therefore, if secondpage.cfm tries to read the session variable, it will be undefined and throw an error message. Also note that if secondpage.cfm returns an "undefined session variable" error to the user, the error message will not include the CFID/CFToken cookies with that error. ColdFusion does not return cookies when an error is generated.
In this scenario, your customers intermittently experience the "undefined session variable" error message. In some cases, a returning user who has already been assigned a CFID/CFToken cookie from another CFML template in your application does not experience the error message. This is described in the following scenario.
Since the request includes CFID/CFToken cookies already received from another template in your web site, the request passes the existing CFID/CFToken cookies. ColdFusion recognizes the CFID/CFToken cookies, and therefore the cfapplication tag does not assign a new CFID/CFToken.
Before secondpage.cfm processes, Application.cfm processes again.
When the cfapplication tag processes (for the second time), it recognizes the existing CFID/CFToken cookies passed with the request.
Therefore, the cfapplication tag does not assign a new CFID/CFToken. If secondpage.cfm tries to read the session variable, it can read the session variable without error because the same CFID/CFToken is in effect during this read; the same as the initial session variable that was set.
Set AddToken="yes" in the cflocation tag.
Setting AddToken="Yes" will append the CFID and CFToken values to the URL of the redirected request. ColdFusion will recognize these CFID and CFToken URL parameters and will not assign new CFID and CFToken values. The session variables are available to the second template.
Before using this solution, you should be aware that passing CFID and CFToken as URL parameters can be a security risk. For more information please see Security Best Practice: URL Session Variables and HTTP_REFERER.
Instead of using server-side redirection with thecflocation tag, consider using one of several methods for client-side redirection.
Client-side redirection allows the CFID and CFToken cookies assigned with the first request to be passed on to the browser. After the browser has received the results of the first request, it is instructed to request a second page from the server. The CFID and CFToken cookies it received from the first request will be passed along with the second request.
Some examples of client-side redirection are as follows:
- Use the HTML meta tag, as follows:
<meta http-equiv="Refresh" content="0;url=http://mysite.com/secondpage.cfm">
- Use two cfheader tags, as follows:
<CFHEADER STATUSCODE="302" STATUSTEXT="Object Temporarily Moved"><CFHEADER NAME="location" VALUE="http://mySite.com/secondpage.cfm">
- Use the HTML meta tag, as follows:
Consider using a third-party alternative tocflocation written to workaround this problem.
ColdFusion custom tags typically use some method of client-side redirection and add additional functionality. Some of these alternatives are available at the Macromedia ColdFusion Exchange.
Note that third-party custom tags are not supported by Macromedia ColdFusion support.