Skip to content

Comments

Use getApplicationMetadata() for cross-platform session detection in TokenService#251

Merged
grantcopley merged 5 commits into184-new-csrf-implementationfrom
copilot/sub-pr-238-again
Dec 2, 2025
Merged

Use getApplicationMetadata() for cross-platform session detection in TokenService#251
grantcopley merged 5 commits into184-new-csrf-implementationfrom
copilot/sub-pr-238-again

Conversation

Copy link
Contributor

Copilot AI commented Dec 2, 2025
edited
Loading

Addresses review feedback on #238: structKeyExists(variables, "session") doesn't reliably detect if session management is enabled across CFML engines.

Changes

  • Cross-platform session detection: Use getApplicationMetadata().sessionManagement instead of structKeyExists() - works on Lucee 5+, ACF 2021+, ACF 2023+, BoxLang 1+
  • Lazy metadata caching: Store application metadata in variables.appMetadata to avoid repeated lookups
  • Graceful degradation: Wrap session.sessionid access in try-catch to handle startup edge cases where session scope exists but sessionid isn't yet available

Implementation

private function isSessionManagementEnabled() {
    if ( structIsEmpty( variables.appMetadata ) ) {
        variables.appMetadata = getApplicationMetadata();
    }
    return structKeyExists( variables.appMetadata, "sessionManagement" ) 
        && variables.appMetadata.sessionManagement;
}

private function generateNewToken() {
    var tokenBase = "#createUUID()##getRealIP()##randRange(0, 65535, "SHA1PRNG")##getTickCount()#";
    var sessionId = "";
    
    if ( isSessionManagementEnabled() ) {
        try {
            sessionId = session.sessionid;
        } catch ( any e ) {
            // Continue without sessionid if not available
        }
    }
    
    return uCase( left( hash( tokenBase & sessionId, "SHA-256" ), 40 ) );
}

Enables TokenService to work with both SessionCSRFStorage (requires sessions) and CacheCSRFStorage (session-independent).

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Dec 2, 2025
Merged
Copilot AI and others added 4 commits December 2, 2025 15:05
@grantcopley
Use cross-platform session detection with getApplicationMetadata()
04e2170 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
@grantcopley
Cache app metadata and improve catch block comment
f1b69f9 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
@grantcopley
Initialize appMetadata as struct and use structCount check
a62978b 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
@grantcopley
Use structIsEmpty for better readability
d297b39 
Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CSRF implementation for session detection method Use getApplicationMetadata() for cross-platform session detection in TokenService Dec 2, 2025
Copilot AI requested a review from grantcopley December 2, 2025 15:11
@grantcopley grantcopley marked this pull request as ready for review December 2, 2025 15:18
@grantcopley grantcopley merged commit 35b3f5d into 184-new-csrf-implementation Dec 2, 2025
1 check passed
@grantcopley grantcopley deleted the copilot/sub-pr-238-again branch December 2, 2025 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@grantcopley grantcopley grantcopley approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@grantcopley grantcopley

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@grantcopley