I do a good amount of work in my Application.cfc to ensure that spiders, bots, and uncool people do not create unused session variables on my server. This has some processing overhead associated with it. To balance that out, I use some cookies to keep track of whether or not my session management logic has already been performed. Last night, while reviewing some of my own code, I realized that I had a HUGE hole in my logic around the short-circuit evaluation of an IF statement.

Here is the original statement:

  • // Check user agent.
  • if (
  • (NOT Len(strTempUserAgent)) OR
  •  
  • // We are testing the cookie values so that we are not
  • // duplicating logic. This should provide a performance
  • // increase of anyone accepting cookies.
  • (
  • COOKIE.SessionScopeTested AND
  • (NOT COOKIE.HasSessionScope)
  • ) OR
  •  
  • ... MANY OTHER CHECKS ...
  •  
  • } else {
  •  
  • ... LOGIC FOR SESSION-BASED USERS ...
  •  
  • }

My original thought was that if the use had already been tested and did NOT have the session scope enabled, then I could skip directly down to the ELSE statement. However, I totally spaced out on the fact that the first statement is a bunch of OR statements and therefore, even if that second statement was false, no short-circuiting would take place. Furthermore, I was checking to see if a user did NOT have the session scope. I don't care about that. I only care about people who HAVE a session scope. My whole mindset was wrong. I have fixed this by changing my session check and breaking the IF statement in to two statements AND'ed together:

  • // Check user agent and session testing.
  • if (
  • // We need to and this clause to force the user to
  • // go to the ELSE clause if this is False. That will
  • // short-circuit this IF statement and skip the rest
  • // of the processing. We want to skip if: The session
  • // scope has been tested AND they have the session scope.
  • (
  • NOT (
  • COOKIE.SessionScopeTested AND
  • COOKIE.HasSessionScope
  • )
  • )
  • AND
  • // Assuming we make it this far, we are dealing either
  • // with users who have not yet been tested or do NOT
  • // have a session scope. Either way let's try to
  • // short-circuit this by testing for session.
  • (
  • // Check to see if we have tested this user to NOT
  • // have a session scope available.
  • (
  • COOKIE.SessionScopeTested AND
  • (NOT COOKIE.HasSessionScope)
  • ) OR
  •  
  • // If we made it this far, then we have to fully
  • // test the user.
  • (NOT Len(strTempUserAgent)) OR
  •  
  • ... MANY OTHER CHECKS ...
  •  
  • } else {
  •  
  • ... LOGIC FOR SESSION-BASED USERS ...
  •  
  • }

As you can see from the updated IF statement, we are now creating an environment for good short-circuiting. Now, if the user has already been tested and HAS a cookie scope, then the first AND clause will evaluate to NOT TRUE, which will be FALSE, which will short-circuit the parent IF statement and jump over all the non-session based testing and proceed directly to the application setting for user's with a session scope.