Sessions and Authentication
Learn how classic ColdFusion applications maintain identity and where old session and password practices need special care.
Enable Sessions
<cfapplication
name="LegacySupportPortal"
sessionmanagement="yes"
sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#">
Initialize Session State
<cflock scope="session" type="exclusive" timeout="5">
<cfif NOT StructKeyExists(session, "isAuthenticated")>
<cfset session.isAuthenticated = false>
<cfset session.userId = 0>
<cfset session.roles = "">
</cfif>
</cflock>
Login Flow
<cfparam name="form.email" default="">
<cfparam name="form.password" default="">
<cfquery name="userAccount" datasource="support_portal" maxrows="1">
SELECT id, email, password_hash, roles, is_active
FROM users
WHERE email = <cfqueryparam value="#LCase(Trim(form.email))#"
cfsqltype="cf_sql_varchar" maxlength="254">
</cfquery>
<!--- Password verification must match the application's stored hash format.
Upgrade weak legacy hashes rather than copying this pattern into new work. --->
The difficult part is password verification. An MX-era application may store MD5, SHA-1, unsalted hashes, or even plaintext passwords. Do not preserve weak storage merely for compatibility. Plan a staged password-hash upgrade or forced reset on a supported platform.
Store the Minimum Session Identity
<cflock scope="session" type="exclusive" timeout="5">
<cfset session.isAuthenticated = true>
<cfset session.userId = userAccount.id>
<cfset session.roles = userAccount.roles>
</cflock>
Do not place entire query objects, passwords, payment data, or large customer records in the session.
Authorization Check
<cfset variables.isAdministrator = false>
<cflock scope="session" type="readonly" timeout="5">
<cfif session.isAuthenticated
AND ListFindNoCase(session.roles, "administrator") GT 0>
<cfset variables.isAdministrator = true>
</cfif>
</cflock>
<cfif NOT variables.isAdministrator>
<cfheader statuscode="403" statustext="Forbidden">
Access denied.
<cfabort>
</cfif>
Authentication answers who the user is. Authorization answers whether that user may perform this specific action. Every sensitive operation needs both.
Logout
<cflock scope="session" type="exclusive" timeout="5">
<cfset StructClear(session)>
</cflock>
<cflocation url="login.cfm?loggedOut=1" addtoken="false">
CFID, CFTOKEN, and URL Tokens
Legacy ColdFusion session tracking commonly uses CFID and CFTOKEN. Avoid propagating session identifiers in URLs. Use addtoken="false" on redirects unless there is a carefully justified requirement.
Session Fixation and Cookie Settings
A recovered application may not rotate identifiers after login and may lack modern cookie attributes. Put the application behind a current reverse proxy, enforce HTTPS, review ColdFusion cookie behavior, and migrate authentication to a supported runtime where modern session controls are available.
Central Access Guard
In MX 7, onRequestStart can protect application areas. Keep an explicit allowlist for login, logout, password reset, static assets, and health pages rather than using broad filename assumptions.