Search code examples
coldfusioncoldfusion-8

Link clicked in MS Word loses CF Session vars, but copied & pasted works fine

Been trying to figure this out for an hour now and I'm stymied. Simple site that allows employees to register. Typically the employer has a company wide u/p for all employees to use to access the registration page, but client also wanted a way to give employee a link to auto-login to register.

Simple enough - created a page "r.cfm" that looks for URL.emid (encrypted employer ID) and URL.h (5 character hash as a check based on the decrypted employer ID). A full URL may look something like this:

https://www.domain.com/r.cfm?emid=22EBCA&h=F5DEA

r.cfm makes sure the correct URL vars are there, decrypts the emid, compares the check value and if all is correct sets some session vars as such:

<cflock scope="session" type="exclusive" timeout="10">
 <cfset SESSION.LOGGEDIN = TRUE/>
 <cfset SESSION.LOGIN.EMPLOYEE.COID = DecryptString(url.emid)/>
</cflock>

I think use CFHEADER 302 and CFHEADER location to send them onto the next page. Here's where it gets weird. On the next page I setup some test code to e-mail me a dump of the session.

If clicked directly in MS Word I get to the 2nd page (the one from the cfheader redirect - employeeRegister.cfm) and I get not one - but two e-mail dumps of the session. The first one shows logged in as true, but the 2nd one shows it as false with a different jsessionid.

If I take the exact same link, paste it into my browser, it works as expected - one e-mail with a session dump showing that session.logged in true.

There is nothing on employeeRegister.cfm that would initiate a page reload. It actually doesn't even check the session.logged in var until the following page. employeeRegister.cfm is simply terms and conditions and a submit button to go to the next page, which is where the session vars are read and checked. It is literally a div with text and then a form tag with accept / decline.

Solution

  • This is because the office product initially tries to act as the browser (to test for web authoring) instead of handing off control to the browser right away. By the time the browser gets control of the url a valid session doesn't exist because office isn't going to share cookies. Without a valid session cookie you end up getting logged out during subsequent redirects or navigation of the site in question.

    These MS KB article should help you solve the problem.

    http://support.microsoft.com/kb/899927 <- mostly

    http://support.microsoft.com/kb/218153 <- more info about Office links