[midasxl]

I have adopted a coldfusion application over the weekend and I was looking at the following OnSessionstart function in the application.cfc file. I am seeing a handful of things I am not familiar with and was hoping someone could help me to understand them.

Here is the full function:

<cffunction
name="OnSessionstart"
access="public"
returntype="void"
output="false"
hint="Fires when the session is first created.">
       
<!--- Expire the old Cookie (in case JSESSION set to session type )--->
<cfcookie name="jsessionid" expires="now"/>
        
<!--- Get the HTTP Response Object --->
<cfset response = getPageContext().getResponse()/>
        
<!--- Set the specifics for the cookie --->
<cfset path = application.siteDir/>
<cfset domain = cgi.server_name/>
<cfset secure = "Secure"/> <!--- Use val of "Secure" or leave blank --->
<cfset HTTPOnly = "HTTPOnly"/> <!--- Use val of "HTTPOnly" or leave blank --->
        
<!---<cfscript>
header = "jsessionid" & "=" & session.sessionid & ";domain=." & domain & ";path=" & path & ";" & secure & ";" & HTTPOnly;
response.addHeader("Set-Cookie", header);
</cfscript>--->

	<cfif NOT IsDefined("Cookie.CFID")>
            <cflock scope="session" type="readonly" timeout="5">
                <cfcookie name="CFID" value="#session.CFID#"/>
                <cfcookie name="CFTOKEN" value="#session.CFTOKEN#"/>
                <cfset session.SessionstartTime = Now()/>
            </cflock>
        </cfif>
            
<cfreturn/>
</cffunction>

I have verified the app server is set to use Coldfusion session management, not J2EE session variables, so I'm not sure why all of this is in here. The application is running as intended with no problems, but I'm not convinced this code is actually being used and if so, why? After setting all the variables the script portion is commented out, and then it manually creates CFID and CFTOKEN cookies. I thought ColdFusion automatically sets those anyways? sessionManagement is set to true.

Thanks for any insight!

[Craig328]

I have to say, I've never seen anything quite like that.

My first impulse was to suggest this was old code but then I remembered that the onSessionstart method isn't all that old itself (in terms of CF history) so that wasn't it.

Aside from line 9, I don't think anything is happening in there, period. I'd bet that if you threw in a javascript alert inside the cfif after line 25 (to show you that that block fired) that you'd likely never see it. I don't make much use of onSessionstart personally but I wouldn't be surprised to find that the CFID and CFTOKEN cookies are formed before the method fires. Now, it seems like if someone went to the trouble to do all that that they did it for a reason...so maybe sometime, elsewhere and elsewhen, this was necessary. However, as you said that the cfscript is commented out...and the cfif block immediately following it is pretty much a redundancy, it seems like you could comment out everything from lines 11 through 23 inclusive and probably never notice it. I mean, it's not going to appreciably impact performance or the user experience unless the function call on line 12 takes too long (and it shouldn't) but I like my code to be clean and if I'm not using a commented portion of code, I delete it after a time.