Problem with Session Variables between pages

Report · Mar 06, 2013

OK, I have three CF9 boxes. One is at a hosting site, one is my developer box, and one is at a client site. At the client site, when going from page to page, the session variables are lost with IE9 from my laptop. IE9 has no problem with session variables on the developer box nor at the hosted site. Chrome has no problem anywhere. So the session variables are lost at the client site with IE 9 only (IE 7 fails too).

Here is the code:

File test.cfm

<html>

<head>

</head>

<body>

</cflock>

<button type="button" value="GO"

onClick="window.location='/test/junk.cfm'">Go </button>&nbsp&nbsp

</cfoutput>

</body>

</html>

File junk.cfm

<html>

<head>

</head>

<body>

Stuff is #session.stuff#

</cfoutput>

OK

</form>

</body>

</html>

And the application.cfc

</cfcomponent>

--------------------------

If you bring up test.cfm you will sess the session variables set. Press the button to go to junk.cfm and you will see that the session variable stuff is lost. I have tried several flavors of the application.cfc and even tried it as a cfm. No change. Have tried J2ee sessions and not, no change. Anyone have any ideas here?

Report · Mar 06, 2013

Actually, I should say that the session variable was lost on the client box, not on the other two. Your mileage may differ.

Report · Mar 06, 2013

To help debug the issue you might want to also dump your cookie scope as well, do you have cookies disabled on IE for example?

Report · Mar 06, 2013

Hi Peter....no cookies are not disabled. The same IE9/laptop combination access all three boxes - only client one fails.

Report · Mar 06, 2013

With the cookies displayed, you can see that the CFID and CFToken change between pages.

Report · Mar 08, 2014

We're having the same issue except Chrome is the one giving us problems. IE keeps the session variables as does Firefox. Chrome doesn't seem to accept them at all. We have a test page where we are dumping out the session and the cookie scopes. When we did, Chrome was listing CFID and CFTOKEN twice in the structure (and before you ask, yes the structure dumped out with the same key listed twice which I didn't think was possible.) That's the only difference that I can see in how the session and cookie scopes appear.

Report · Mar 09, 2014

One likely reason is that the directory of the page that test.cfm redirects to, that is, /test/, may already have a separate Application file. That would initiate a new session, hence new CFID and CFToken values. Search your directories to ensure there are not 2 or more active Application files in the relevant paths.

Some more suggestions follow. Your HTML tags, as they now stand, are redundant, and should be left out. In particular, there is no Javascript code, and so there is no need for <META HTTP-EQUIV="Content-Script-Type" CONTENT="text/javascript">. In any case, if you need to run Javascript code later, then simply use <script type="text/javascript"></script>.

A session timeout of 8 hours is likely to be impractical. The usual value is about half an hour. You also mention no application timeout.

Putting the suggestions together:

test.cfm

<head>

/* Javascript code goes here. */

</script>

</head>

</cflock>

<button type="button" value="GO"

onClick="window.location='/test/junk.cfm'">Go</button>

/test/junk.cfm

<head>

/* Javascript code goes here. */

</script>

</head>

<cfif isDefined("session.stuff")>

<cfoutput>#session.stuff#</cfoutput>

<cfelse>

Variable session.stuff is undefined.

</cfif>

<input name="txt" type="text">

<input name="sbmt" type="submit" value="Submit">

</form>

Application.cfc

<cfset this.applicationTimeout="#createTimeSpan(1,0,0,0)#">

</cfcomponent>

Report · Mar 12, 2014

I ask Help for same problem.

I loose session variable ONLY with IE11 under win7.

It is working with IE9 under Vista.

And on the 2 PC, it is working with any other browser, FF, Google etc...

The CFID cookie in changing at each next page.

cookies are enabled on IE but not working, it seems.

Thanks for idea.

This is an IE problem ?

Report · Nov 05, 2015

I'd like to share my experiences with this problem as it caused a decent sized headache and it might help someone else out there. The problem still occurs in cf10 and seems to be related to a session fixation hotfix applied to cf8, cf9 and the base install of cf10. This fix seems to create a situation where duplicate cookies can exist for a given token, thereby causing Coldfusion to become confused and the user session to drop off. The problem is not exclusive to one type of browser and only happens occasionally. In all cases the crude solution to the problem is to manually delete the cookies from the clients browser. This is obviously not on, so the next sensible solution is to find a way to programmatically remove any stray cookies. After some trial and error, the following lines of code when first creating the session appears to fix the problem...eg

The key seemed to be to add the domain attribute (and path attribute if necessary to match the existing cookie) .Otherwise, the server seems to lose control of the existing cookie. This problem made a particularly dramatic appearance after applying updates to the cf10 server and rebuilding the connector for some reason.

Adobe Community

Problem with Session Variables between pages