Skip to content

Use getApplicationMetadata() for cross-platform session detection in TokenService #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
grantcopley merged 5 commits into from
Dec 2, 2025
Merged

Use getApplicationMetadata() for cross-platform session detection in TokenService #251

grantcopley merged 5 commits into from
Dec 2, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 2, 2025
edited
Loading

Addresses review feedback on #238: structKeyExists(variables, "session") doesn't reliably detect if session management is enabled across CFML engines.

Changes

  • Cross-platform session detection: Use getApplicationMetadata().sessionManagement instead of structKeyExists() - works on Lucee 5+, ACF 2021+, ACF 2023+, BoxLang 1+
  • Lazy metadata caching: Store application metadata in variables.appMetadata to avoid repeated lookups
  • Graceful degradation: Wrap session.sessionid access in try-catch to handle startup edge cases where session scope exists but sessionid isn't yet available

Implementation

private function isSessionManagementEnabled() {
    if ( structIsEmpty( variables.appMetadata ) ) {
        variables.appMetadata = getApplicationMetadata();
    }
    return structKeyExists( variables.appMetadata, "sessionManagement" ) 
        && variables.appMetadata.sessionManagement;
}

private function generateNewToken() {
    var tokenBase = "#createUUID()##getRealIP()##randRange(0, 65535, "SHA1PRNG")##getTickCount()#";
    var sessionId = "";
    
    if ( isSessionManagementEnabled() ) {
        try {
            sessionId = session.sessionid;
        } catch ( any e ) {
            // Continue without sessionid if not available
        }
    }
    
    return uCase( left( hash( tokenBase & sessionId, "SHA-256" ), 40 ) );
}

Enables TokenService to work with both SessionCSRFStorage (requires sessions) and CacheCSRFStorage (session-independent).

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Dec 2, 2025
Merged
Copilot AI and others added 4 commits December 2, 2025 15:05
@grantcopley
Use cross-platform session detection with getApplicationMetadata()
04e2170 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
@grantcopley
Cache app metadata and improve catch block comment
f1b69f9 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
@grantcopley
Initialize appMetadata as struct and use structCount check
a62978b 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
@grantcopley
Use structIsEmpty for better readability
d297b39 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CSRF implementation for session detection method Use getApplicationMetadata() for cross-platform session detection in TokenService Dec 2, 2025
Copilot AI requested a review from grantcopley December 2, 2025 15:11
@grantcopley grantcopley marked this pull request as ready for review December 2, 2025 15:18
@grantcopley grantcopley merged commit 35b3f5d into 184-new-csrf-implementation Dec 2, 2025
1 check passed
@grantcopley grantcopley deleted the copilot/sub-pr-238-again branch December 2, 2025 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@grantcopley grantcopley grantcopley approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@grantcopley grantcopley

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@grantcopley