Cookies are not unique to ColdFusion applications. Cookies have been around for a long time and were first introduced by Netscape for use in their Navigator web browser. Since then, not much has changed about cookies, but their integration into web browser software is all but universal.
Well, cookies are not the gremlins that they were made out to be. They are neat little variables that we can create and store on the client computer to help streamline the experience of our application's users. They are not dangerous. They can, however, if used improperly, expose guarded information to potential attack.
Cookies are variables that are stored on a client computer. They can store values as strings. They are sent to the server with every page request. They are read-only by the domain that set them and are available to every requested page within that domain. You can, however, specify individual pages where the cookie is available. Cookies exist on the client machine as simple text strings. For that reason, information such as passwords and credit card numbers should never be stored in a cookie.
Cookies can be set and read by ColdFusion. ColdFusion uses the CFCOOKIE tag to create cookies. The CFCOOKIE tag generally look like this:
<cfcookie name="Email" value="firstname.lastname@example.org">
The only required attribute of the CFCOOKIE tag is the name attribute.
Let's work this into a bit of code that we mentioned earlier: the bug-tracking application login. I use a CFIF statement to test for the existence of a cookie on the client machine and, if present, prefill the email text input in the form:
<!------------- Template: Login.cfm Author: Neil Ross (email@example.com) Date: 03/01/2002 Sample login page with cookie evaluation to pre-fill the user email address. --------------> <form name="loginform" action="authenticate.cfm" method="post"> <table> <tr> <td colspan="2">Please provide your email address and password below.</td> </tr> <tr> <td>Email: </td> <td> <input name="email" type="text" value="<cfif IsDefined("cookie.email")><cfoutput>#cookie.email#</cfoutput></cfif>"> </td> </tr> <tr> <td>Password: </td> <td><input name="password" type="password"></td> </tr> <tr> <td colspan="2"><input type="submit" value="Log In"></td> </tr> </table> </form>
<!------------- Template: Authenticate.cfm Author: Neil Ross (firstname.lastname@example.org) Date: 03/01/2002 Sample login authentication page which sets a cookie with a value of the user's email address. --------------> <cfif IsDefined("form.email") AND form.email IS NOT "" AND IsDefined("form.password") AND form.password is not ""> <cfquery name="AuthenticateUser" datasource=request.dsn> SELECT UserID FROM Users WHERE Email = '#form.email#' AND Password = '#form.password#' </cfquery> <cfif AuthenticateUser.RecordCount IS 1> <cfcookie name="Email" value="#form.email#"> Thanks for visiting, click <a href="http://index.cfm">here</a> to go to the home page. <cfelse> Your username or password is incorrect. Please click <a href="login.cfm">here</a> to try to log in again. </cfif> </cfif>
We could also use the CFHEADER tag to accomplish the same thing:
<cfset variables.redirectURL="http://index.cfm"> <cfheader statuscode="302" statustext="Object Moved"> <cfheader name="location" value="#variables.redirectURL#">
Treat cookies just like any other variable when you evaluate them. Remember that cookies are stored on the client machine, not in your server memory; so when you access a cookie value, you do not need to use the CFLOCK tag.