How NOT to Code - Example 3

Jan 12, 2010

Example 3 is a ColdFusion code issue


<cfapplication name="badcodeexamples"
         sessionmanagement="true"
         clientmanagement="true"
         scriptprotect="true"
         applicationtimeout="20"
         sessiontimeout="2"/>

Comments

John Sieber

John Sieber wrote on 01/13/101:16 AM

The proper values for client and session management are "yes" or "no" instead of true or false. For script protect the values are either all, none or a comma delimited list of the scopes to be protected against cross site scripting. For the application and session timeout values they are to be defined by day, hour, minute, seconds separated by commas. I'm not sure if the values above would set the application scope to expire after 20 days or 20 seconds. Same with the session scope.
John Mason

John Mason wrote on 01/14/105:27 PM

The key points I wanted to make with this one are:

- scriptprotect = true, does nothing and actually doesn't error out either which is bad. It should be set to 'all' in most cases. The feature itself isn't great and I encourage people just to incorporate portcullis.riaforge.org into their projects.

- the scope timeouts should be set with the createtimespan() function.

- but the biggest item is the client scope management being turned on. In most cases, I see that turned on and yet the code isn't using the client scope. Or they use the client scope when the session scope could easily handle the job. What makes this even worse is that the default repository of the client scope information is the server's registry. Sometimes people change that much but then also leave global client variable updates enabled (click on your repository under client varaibles in the cf admin for this option). This can very easily take a server down with completely superfluous db chatter. I've never been a fan of the client variable scope, and hopefully this will make people think carefully before randomly turning it on.
Ben Nadel

Ben Nadel wrote on 01/14/108:13 PM

If I've learned one thing from Michael Dinowitz over the last 10 years, it's that CLIENT variables are the devil :)

Write your comment



(it will not be displayed)