10 of 14

Personally, I require cookies on all of my sites and then provide adequate security and cookie information to the users who are refusing or unable to accept cookies so they know why we require them. I prefer setting CFID and CFTOKEN to a "session-only" cookie so that the session is destroyed when users close their browsers:

<CFCOOKIE NAME="CFID" VALUE="#CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#">

I then detect whether users are able/willing to accept cookies, and redirect them to an information page if they are not, using JavaScript:

<SCRIPT>
document.cookie = 'CookiesEnabled=1';
if (document.cookie == ''){
document.location.href='myCookieInfoPage.htm';}
</SCRIPT>

You can choose any method you like to detect whether browser cookies are enabled. (First you'll need to decide for yourself whether or not cookies should be a function of your application, based upon your user demographics and other factors.)

Notice that in the CFAPPLICATION tag above, we have set the value for CLIENTSTORAGE equal to the data source name that we configured in Step 1. If this is not specified, and any one of the servers in the cluster is not configured to use your database as the Default Client Variable Storage location, then you may get unexpected results because your client variables will end up someplace other than in your database (most likely the registry, which is the default location). In my opinion, it's safest to distinctly specify the CLIENTSTORAGE value.

Existing Session Variable Code
If you're designing a new application, simply set and retrieve all the variables that you would have scoped as session, using the client scope instead. Some examples:

<CFSET Client.IsLoggedIn = 1>
<CFOUTPUT>#Client.IsLoggedIn#</CFOUTPUT>
<CFIF NOT Client.IsLoggedIn>
<CFLOCATION
URL="notloggedin.cfm"
addtoken="no">
</CFIF>

10 of 14