Comments on: Minimizing memory damage from bot-created sessions in ColdFusion http://www.ghidinelli.com/2008/03/26/minimizing-memory-damage-from-bot-created-sessions-in-coldfusion Thu, 01 Jun 2017 18:51:00 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: SitePoint Blogs » The Week in ColdFusion: 26 March-1st April: No fooling here http://www.ghidinelli.com/2008/03/26/minimizing-memory-damage-from-bot-created-sessions-in-coldfusion/comment-page-1#comment-45765 SitePoint Blogs » The Week in ColdFusion: 26 March-1st April: No fooling here Thu, 03 Apr 2008 14:18:59 +0000 http://www.ghidinelli.com/2008/03/26/minimizing-memory-damage-from-bot-created-sessions-in-coldfusion/#comment-45765 [...] Brian Ghidinelli shares a technique to minimize memory usage by bots in applications using session management [...] [...] Brian Ghidinelli shares a technique to minimize memory usage by bots in applications using session management [...]

]]> By: brian http://www.ghidinelli.com/2008/03/26/minimizing-memory-damage-from-bot-created-sessions-in-coldfusion/comment-page-1#comment-45572 brian Fri, 28 Mar 2008 01:29:16 +0000 http://www.ghidinelli.com/2008/03/26/minimizing-memory-damage-from-bot-created-sessions-in-coldfusion/#comment-45572 @Geoff, good question. It will treat the second request from a legitimate client as a new session, but in my opinion that is OK. Since 99% of the time the user needs to enter a username or password or something, it doesn't matter much that the session is reset after the first page view. Another option would be to set the "short" session to something like 2 minutes; a reasonable enough time frame for a legitimate user to click again and maintain their initial request but short enough to let ColdFusion clear out the related memory variables. Charlie Arehart has some related content on his site about client variables and bots as well that's worth checking out too. In writing this response, I can think of two places in my app where the ultra short timeout might be a problem: URL variables can trigger a non-default theme which is stored in the session and when users forget their passwords, we send them a temporary reset token via email. That token logs them in automatically so losing their session could be a problem. Although in the latter case at least, we redirect them to the password page after authentication so I think they would get both requests in in quick succession. I will probably revisit my setting to be a little more lenient. Since my real sessions last for as long as an hour, this will still provide lots of protection against spiraling memory use. Great comment! @Geoff, good question. It will treat the second request from a legitimate client as a new session, but in my opinion that is OK. Since 99% of the time the user needs to enter a username or password or something, it doesn’t matter much that the session is reset after the first page view. Another option would be to set the “short” session to something like 2 minutes; a reasonable enough time frame for a legitimate user to click again and maintain their initial request but short enough to let ColdFusion clear out the related memory variables. Charlie Arehart has some related content on his site about client variables and bots as well that’s worth checking out too.

In writing this response, I can think of two places in my app where the ultra short timeout might be a problem: URL variables can trigger a non-default theme which is stored in the session and when users forget their passwords, we send them a temporary reset token via email. That token logs them in automatically so losing their session could be a problem. Although in the latter case at least, we redirect them to the password page after authentication so I think they would get both requests in in quick succession.

I will probably revisit my setting to be a little more lenient. Since my real sessions last for as long as an hour, this will still provide lots of protection against spiraling memory use.

Great comment!

]]> By: Geoff http://www.ghidinelli.com/2008/03/26/minimizing-memory-damage-from-bot-created-sessions-in-coldfusion/comment-page-1#comment-45568 Geoff Thu, 27 Mar 2008 23:04:10 +0000 http://www.ghidinelli.com/2008/03/26/minimizing-memory-damage-from-bot-created-sessions-in-coldfusion/#comment-45568 I think this solution assumes a 'real' visitor will click another page within 5 seconds - otherwise how will you know the difference between a user's first visit and a spider? Along with the first page request, cookie information is sent to the browser - at this point, CF doesn't know you're not a real person, so gives you a 5 second session... Yes, your cookie still exists, but if you've not clicked a second page within 5 seconds, your initial session will have expired and CF will create a second 5-minute long session along with your next page view. I think this solution assumes a ‘real’ visitor will click another page within 5 seconds – otherwise how will you know the difference between a user’s first visit and a spider?

Along with the first page request, cookie information is sent to the browser – at this point, CF doesn’t know you’re not a real person, so gives you a 5 second session…

Yes, your cookie still exists, but if you’ve not clicked a second page within 5 seconds, your initial session will have expired and CF will create a second 5-minute long session along with your next page view.

]]>