Webmaster Forum / ColdFusion / Advanced Techniques / May 2008

I have also noticed that my cfid and cftoken cookies are set to expire Sat, 16 Jan 2038 15:55:44 GMT.  So it looks like some kind of default of 30 years...any thoughts?

You are talking about two separate things. The first is cookies. I will come to
that later.

The second is the 10 days you mention. It is a timeout that is set by default
by Coldfusion. It is the time after which Coldfusion begins to purge [i]stored
client variables[/i] from the place where you chose to store them. The default
store for client variables is the registry. You may choose as alternatives a
database (that you yourself have to create) or cookie.

The default timeouts, in days, are 90, 90, 10, respectively, for registry,
database, cookie. This is where the 'Purge Interval' setting in the
Administrator comes into play. The default value of the purge-interval is 1
hour 7 minutes. This means, for example, that, after 10 days of inactivity,
Coldfusion will delete client variables stored as cookies every 1 hour 7
minutes. Also, after 90 days of inactivity, Coldfusion will delete client
variables stored in the registry every 1 hour 7 minutes.

I can think of two reasons why the design is like this. First, it is up to
Coldfusion to delete client variables, not you. That is why the timeout setting
is hidden from view. Secondly, the purge process uses much memory, and so
shouldn't occur often or for long periods.

There is an explanation for the 30 years. It means that the expires attribute
of the cfcookie tag has the value 'never'. See the
http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhel
p.htm?context=ColdFusion_Documentation&file=00000233.htm. The 30 years applies
to all cookies that Coldfusion sets, whether or not they are client variables.

If you want control of the client variable cookie then you have to prevent
Coldfusion from setting them automatically. To do so, set
clientmanagement="yes" and setclientcookies="no" in the cfapplication tag (if
you're using Application.cfm) or this.clientmanagement="yes" and
this.setclientcookies="no"(if you're using Application.cfc). Then set the
cookies manually, as follows, depending on your needs

1) session-only cookie (will expire when client closes browser)

<cfcookie name="cfid"    value="#client.cfid#">
<cfcookie name="cftoken" value="#client.cftoken#">

2) cookie that will expire after a 7 days

<cfcookie name="cfid"    value="#client.cfid#"    expires="7">
<cfcookie name="cftoken" value="#client.cftoken#" expires="7">

Back to the timeout values earlier. I will now show you where the settings
are. Open the following file in a text editor:

{CF_installation}/lib/neo-clientstore.xml

However, I should strongly advise you to leave the XML file intact. There is a
good reason why the Coldfusion engine uses the 10-day and 90-day timeouts, and
why it hides the settings from view.