cf_sessionSwap Documentation

Version: 0.3
Build Date: 5/9/2009
Created By: John Blayter
Project Page | Blog | RIA Forge | Forums | Known Issues | Download
License: Apache License, Version 2
Donate: A shameless plug for my wishlist. It is just as good as buying me a pint for saving you all sorts of time!

Revision History

0.3	It is all about the documentation
0.2	Complete refactor of the tag to try and make this as fast and secure as possible.
0.1	Initial concept created by John Blayter years ago based on Sarge Sargent's idea. This version used WDDX for the serialization and worked okay but was slow if you had large session scopes.

Overview

cf_sessionSwap is a ColdFusion custom tag that persists session information into the database and can rebuild it upon the user being directed to another ColdFusion server or if their session was dropped from ColdFusion restarting. Technically speaking if you had a bunch of servers with CF Professional that were load balanced you would be able to use this tag to persist the session scope without paying for CF Enterprise.

How it works

This code does not rely on the usual CFID/CFTOKEN OR JSESSIONID. There is an UUID application variable that gets set in your application to identify it. From there 3 non-persistent cookies are dropped on the client's browser. 2 of the cookies are UUIDs identifying them as a user and a and the value of the application UUID is set as the last instance that they were on. As a user flops over to another instance or server they will get new session tokens from CF and reload the rest of the variables from the DB.

Following the request

Your server starts up for the first time and you have no users yet
The first user comes in and the Application.cfc is hit for the first time. The necessary function is fired and hits the cf_sessionSwap tag. Inside the tag the application.sessionSwap.uuid variable is set to a UUID to later identify this instance of your application. The tag will also drop 2 nonpersistent cookies to later identify the user. _SSID1 and _SSID2 are set with UUIDs for the values. The session scope at this point is serialized into a Java Byte code, then base64 encoded and placed in the request.sessionSwap.compare variable. At this point control is given back to the Application.cfc and the rest of the files in your application is run.
After your files are done being processed the onRequestEnd in the Application.cfc is fired. The write action of the tag is called. The session scope is once again serialized into Java Byte code and then base64 encoded. If the base64 string is different the string is written to the database. The LastInstance cookie is dropped with the value of the application.sessionSwap.uuid.
Your load balancer shoots the user to another server ... Your CF Application service dies and restarts...
Any reason to cause the user to loose their session even though they have not closed their browser.
The user's next request sees that the application.sessionSwap.uuid is not the same as the cookie.LastInstance and the base64 string is read out of the database, de serialized and set back into the session scope. As the user has a new CFID/CFTOKEN or JSESSIONID these variables are not set to the values pulled from the database.

Installation

Run the session_swap_mssql.sql to create the table in your database
Copy the sessionSwap.cfm into your custom tags directory
Call the tag from your Application.cfc (see example calls in the Application.cfc included)
Use the cleanOldSessions.cfm to purge old sessions from the database

Credits

Sarge Sargent for the core idea many years ago
Brian Rinaldi and Pete Freitag for their blog posts on serializing in CF

To do...

Here is a list of various items I would still like to add to this tag set. I am not sure if or when they will be added. It is just a public list of ideas

Load test and publish results