The client variables debacle
Nathan Strutz recently said that client variables are no good to use. From reading his entire post, he isn't saying that the concept is flawed, just the current implementation. He even suggests how they may could be improved. I blogged about the overhead caused by client variables back in 2003, the problem was that even if you check disable global client variable updates ColdFusion was still hitting the DB server on every page request. This was in ColdFusion 6.1, I haven't retested for 7.0 yet.
Nathan also points out that All options are server-wide, it would be cool to have different options for each application. Don't forget that there are some options for client variables in the
cfapplication tag such as the
clientmanagement attribute that lets you turn it on and off,
clientstorage attribute lets you specify which datasource to use (must be enabled for client storage in admin first), or registry, or cookie, and
setclientcookies can be enabled or disabled on an application basis. See the docs for the
cfapplication tag. So you can create a database for each application to use, then for each db you can set the purge time, and disable global client variable updates. Am I missing something here?
Nathan also suggests that we need more options for client storage, how about using files or a proprietary client variable server (aka state server). I agree more options are better, but I'm curious to know what advantages a proprietary client variable server would have, why not just fix how CF uses a database server?
If your going to use them, decouple them
I applaud Nathan for bringing this up again, he raises some good points. While I wouldn't go as far to say we should never use them, I would be take care as to how you use them, and I highly recommend de-coupling them from your application logic. So create a CFC that uses client variables inside to manage state, and if you want to change to session, or your own db implementation you can change how it all works without effecting your entire code base.
- Client Variables unnecessary overhead? - December 4, 2003
- Announcing CFML Weekly Email - October 19, 2012
- Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
- Maximum Security CFML - cfObjective Slides - May 17, 2011
- Writing Secure CFML Slides from CFUnited 2010 - August 5, 2010
- Writing Secure CFML cfObjective 2013 Slides
- Upgrading to Java 7 on Linux
- J2EE Sessions in CF10 Uses Secure Cookies
- Learn about ColdFusion Security at cfObjective 2013
- Session Loss and Session Fixation in ColdFusion
- FuseGuard 2.3 Released
- CKEditor Spell Checker Plugin
- Adobe Says Go Ahead and Upgrade your ColdFusion JVM