onRequestStart() vs. onRequest()

So, I am trying to understand why I would ever want to use onRequest() in one of my Applications. Maybe someone can help me figure out a valid reason. I'm sure there are plenty of them, but I am looking for one, or more, that do not seem like bad programming/security issues.

Here is my issue. Take a simple onRequestStart() in my application.cfc.


    <cffunction name="onRequestStart" access="public" output="false">
        <cfset variables.myVar1 = "my variable is cool" />
    </cffunction>
    
If I create an index.cfm with a simple cfdump of the variables scope, I will get an empty struct. The myVar1 Variable will not be there, no methods, nothing. Just an empty struct.

Now, if I add an onRequest() method to my Application.cfc, which takes in the argument of the target page and requires that I cfinclude it, it combines the Application.cfc local scope with my target pages local scope.


    <cffunction name="onRequest" access="public" output="false">
        <cfargument name="TargetPage2" type="string" required="true" />
        <cfset myVar2 = "my variable is cool" />
        
        <!--- Include the requested page. --->
        <cfinclude template="#ARGUMENTS.TargetPage2#" />
    </cffunction>
    
Now if I dump the variables scope, I get:

So not only did it show up with the myVar2 variable in it, but it has the myVar1 variabel from onRequestStart, it has all of my Application.cfc methods, it has all of my THIS scope variables from Application.cfc and all of the local variables from Application.cfc.

So, my question is, why would I want this? Why would I want to combine my Application.cfc local scope with the local scope of EVERY page in my application? Why would I want to expose my Application.cfc's properties and methods to all of my pages? Not only does it seem like bad programming practice to me, but it seems like it would be a security issue.

So maybe I am missing some HUGE benefit to this practice. But to me, it seems like a silly thing to do. Not to mention the fact that using onRequest() breaks all sorts of cool things with Ajax, Flash remoting, etc. Thanks for any input!

Comments
Ben Nadel's Gravatar @Jason,

I wouldn't worry about the fact that using OnRequest() exposes the inner working of the Application.cfc. You are essentially executing the requested page a template "mix-in" at that point, but it's cool. Remember, if you are worried about security at that level, then make sure no one has FTP access to the code base :) At that point - you have to worried about your own programmers.

To me, the biggest asset to this approach is to be able to define what template actually gets executed. You can use this quite easily for log-in prompting:

<cfif User.IsLoggedIn()>
. . . . <cfinclude template="#ARGUMENTS.Page#" />
<cfelse>
. . . . <cfinclude template="login.cfm" />
</cfif>

Sometimes, I also use it to funnel everything through index.cfm:

<cffunction name="OnRequest">
<cfinclude template="index.cfm" />
</cffunction>

Now, no matter what page is requested, the index.cfm is executed. This might seem silly, but if you have hooks into your program, this can "listen" for those hooks. For example, maybe you have stub files like:

/staff/index.cfm
/member/index.cfm
/guest/index.cfm

Now, your OnREquest() can listen for page reuqest and see the URL to figure out which type of "Experience" to offer. Your index.cfm files in the sub directory are empty - they are only their to launch the request event in the Application.cfc.

Anyway, I found these concepts extremely useful and have never had any security issues.
# Posted By Ben Nadel | 5/27/08 1:29 PM
Terrence Ryan's Gravatar I've used it in a couple of cases to intercept requests for certain pages and then do things in addition to the called page, or instead of the called page.

I probably could have fixed these problems by using better application architecture, but it's not always an options to fix them.
# Posted By Terrence Ryan | 5/27/08 1:32 PM
Jason Dean's Gravatar @Ben and terrence

Thanks! That is great feedback. Ben, that explanation is excellent. thanks for taking the time. I like the login page example, I can see how things like that would be very useful. I am doing a presentation tomorrow on App.cfm vs. App.cfc and I have never used onRequest, so when I looked at what it was doing, it seemed kind weird.
# Posted By Jason Dean | 5/27/08 1:43 PM
Ben Nadel's Gravatar @Jason,

One thing you have to be careful of is that if you have OnRequest(), you cannot call CFC's directly (as in a web service). That is the only complication that I have ever run up against. To get around that, I believe it was Ray Camden that suggested checking in the OnRequestStart() method for the request type and then deleting the OnREquest method:

OnRequestStart:
<cfif ...is web serivce....>
<cfset StructDelete( THIS, "OnRequest" ) />
</cfif>
# Posted By Ben Nadel | 5/27/08 1:52 PM
Jason Dean's Gravatar Thanks Ben. I did see that and have made note of it.
# Posted By Jason Dean | 5/27/08 2:14 PM
Jason Dean's Gravatar @Ben - I don't know if you are still subscribed to this thread, but I have been thinking more about this, and I did some playing around. And it looks, to me, like both of the examples you provided also work with onRequestStart().

Maybe I a missing something special about onRequest() but since onRequestStart() also receives the target page as an argument, it seems like the better solution for these things, since it does not mess with Ajax, remotes services or remoting.
# Posted By Jason Dean | 6/1/08 8:39 PM
Ben Nadel's Gravatar @Jason,

I think you are correct. I cannot think of any technical reason why you would *need* to use OnRequest() rather than OnRequestStart(). I guess the only thing I can think of, and this is not a strong argument, is "intent". To me, the intent of the OnRequestSTart() method is to run before the page and the intent of the OnRequest() method is to run (the | a) page.

Of course, "intent" doesn't really mean much since they are both "request" methods. I suppose you are correct. My gut says to use OnRequest(), but it is not making any real educated decision.
# Posted By Ben Nadel | 6/2/08 5:33 AM
Ashwin's Gravatar I want to know how useful is this latest version of windows 10 operating system and go through this http://gethelpwindows10.com Online platform where i get knowledge about this information.
# Posted By Ashwin | 10/3/18 5:29 AM
rick's Gravatar You finished a couple fine focuses there. I did an inquiry on the subject and discovered almost all persons will oblige with your online journal. https://www.fiverr.com/mubeenshahjahan/do-100-blog...
# Posted By rick | 12/6/18 5:41 AM
rick's Gravatar This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information https://www.fiverr.com/mubeenshahjahan/do-100-blog...
# Posted By rick | 12/6/18 5:42 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner