A really interesting thread on CFGURU today discussing how to minimize the impact of clients that don’t accept cookies from rapidly creating “phantom” sessions that eat up memory. Because the client doesn’t accept a cookie, each request will appear to be a new client and ColdFusion will generate a new session along with any objects you create in onSessionStart() or Application.cfc. Bots from most search engines behave exactly like this and while most of them have some throttling on their request rate, there are many that will canvas your site quickly generating hundreds of empty sessions. If your session timeout is not very short, this could lead to out of memory errors.
There have been some discussions about this previous on Ben Nadels blog as well as Mark Kruger. Ben’s solution is reported as effective but it is a moving target in that it tests the User-Agent. But Cameron Childress posited testing for the existence of cookies as a check for, well, a client that accepts cookie. If sessions are enabled in an application, ColdFusion will automatically set CFID and CFTOKEN for every page request which seems to be the perfect test! Johan Steenkamp put it to the test and reported back with a working code snippet (that I’ve slightly modified to make simple here):
< !-- this code goes in the Application.cfc in the psuedo-constructor outside of any function declaration --->
<cfif structKeyExists(cookie, "CFID")>
<cfset this.sessionTimeout = createTimeSpan(0,0,5,0) />< !--- 5 minutes --->
<cfset this.sessionTimeout = createTimeSpan(0,0,0,5) />< !--- 5 sec short session for agents like bots that do not accept cookies --->
Brilliant – good on you mate! Now the bots will be a very short 5 second session that will quickly time out and return memory to ColdFusion while real users will get a 5-minute session. Obviously you can set those values, particularly the real-user version, to be whatever is appropriate for your application. Personally I use 1 hour for my session timeouts to afford a good user experience and avoid the “oops, you were logged out…” disappointment.
I can’t take any credit for the solution – I just thought this was a very clever mod to make your public ColdFusion app more resistant to dodgy clients. I use J2EE sessions so I modified it to check for jsessionid instead but otherwise it seems to be working properly in my testing with and without cookies enabled.