Skip navigation
partTimeCrazy
Currently Being Moderated

Coldfusion session timing out too soon?

Jan 14, 2014 7:55 AM

Tags: #session #timeout #sessiontimeout

I have coldfusion 10 installed as our main server. I am using sessions to store some information and have set sessiontimeout=#CreateTimeSpan(0,0,45,0)# in the application file but for some reason the session is timing out way before 45 mins - around 10 mins. Is there a reason for this? I thought having the timeout in the application file would overwrite anything set in the coldfusion admin. Is this not true?

 

Thanks

 
Replies
  • Currently Being Moderated
    Jan 14, 2014 9:15 AM   in reply to partTimeCrazy

    Check the CF Admin.  The values set there can trump per-application settings.  So if the CF Admin states that the maximum size a session can be is 10 minutes, your app can tell CF to use more, but CF will only allow it to be as large as what's set in the Admin.

     

    SERVER SETTINGS > MEMORY VARIABLES > MAXIMUM TIMEOUTS > SESSION VARIABLES

     

    Also, FYI, you do not need to pound off the createTimespan() Built-in Function when you set it, ie, this is perfectly fine:

     

    <cfset this.sessionTimeout = createTimespan( 0,0,45,0 ) />

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 14, 2014 1:54 PM   in reply to partTimeCrazy

    Oh.  I don't use the <cfapplication> tag.  In its implementation, you should not omit the encasing quotes. ColdFusion interprets values as best as it can, but just to be safe that values get translated and not lost in syntax, it would read ...sessiontimeout="#createTimeSpan( 0,0,45,0 )#" />

     

    Personally, I use application.cfc, where you simply set the sessionManagement variable of the 'this' scope in the pseudo-constructor area (the areas outside of functions), ie:

     

    <cfset this.name = 'myAppName' />

    <cfset this.sessionManagement = true />

    <cfset this.sessionTimeout = createTimeSpan( 0,0,45,0 ) />

    ...

     

    <cffunction name="onApplicationStart"...

     

    What do you mean by cookie timeout?  If session management is enabled, then CF will attempt to set a cookie on the client machine which is subsequently sent back to CF on each request in order to maintain the session state.  Some browsers will let you inspect those cookies.  You could clear your cookies, make a request (creating and setting a new session cookie) and then inspect it to see if the timeout is set to 20 minutes from now or the intended 45.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 15, 2014 7:07 AM   in reply to partTimeCrazy

    What are all your application settings?  I'm wondering if you're setting a cookie at a certain path under the site and then navigating to areas outside that path (where the cookie won't exist).

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 15, 2014 9:29 AM   in reply to partTimeCrazy

    SESSION scope is different from the CLIENT scope.

     

    Is your site using subdomains?  If so, you'll need to set the setDomainCookies attribute to true (again, in CFC we use this.setDomainCookies, but if you're still going to use the old application.cfm, see if there's a respective attribute for the <cfapplication> tag)

     

    Try what I had suggested earlier. Get a good browser like Chrome, and inspect the CFID cookie that is set by ColdFusion.  See what its expiration is set to.  Is it 20 minutes from now or 45?

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 16, 2014 6:34 AM   in reply to partTimeCrazy

    The web is stateless.  For example.

     

    Your PC > Makes a request to > Web Server

    Web Server: Hi!, you have no cookie, this is your first visit here, here's your file.

    Your PC > Makes another request to > Web Server

    Web Server: Hi! you have no cookie, this is your first visit here, here's your file (even though this is your second visit to the site)

     

    Thing is, without a cookie being set onto your PC (and subsequently provided to the server on each request, the Server has no idea who you are.  With cookies/sessions:

     

    Your PC > Makes a request to > Web Server

    Web Server > Sends a Cookie to > Your PC

    Web Server: Hi, you now have a cookie, this is your first visit here, here's your file.

    Your PC > Makes another request to > And sends its cookie it was previously given to > Web Server

    Web Server > Checks to ensure cookie's related session data is available > Verified

    Web Server: Hi, you've been here before, and I know who you are.  Here's your file.

    Web Server > Updates the session timeout to be 45 mins from this point to > Your PC

     

    Then, if you don't make another request within that timeout, when you make another request to the server, your session "Timed out", and the Server issues you a new cookie.

     

    If Firebug says the cookie you have is being set to expire 45 minutes from when you request it, then the cookie is being set properly.  I notice you didn't answer whether your site is using subdomains.  Is this the case?

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 16, 2014 7:37 AM   in reply to partTimeCrazy

    Yes. We've confirmed the cookie is being set with the proper value. Now we just have to troubleshoot the issue where your session is not staying maintained before that timeout value.

     

    For clarification, you're repeatedly saying that you've been "logged out", but that isn't the problem we're troubleshooting, right?  We're looking as to why your session isn't being maintained.  "Logging in" is the process of going through authentication where you verify who you are to the server, it authenticates those credentials, and then can "log you in", often storing your information into the session.  The problem with the latter is that if you have code somewhere that is terminating the session or performing log out operation via improper misfire, this is different than a session that just seems to be lost at some point in requesting pages that are doing little more than presenting data.

     

    Since you're not using subdomains, we don't have to worry about you navigating to other areas of the same domain.  Let's try this:

     

    Make a page that just outputs this:

     

    <cfoutput>#session#</cfoutput>

     

    If you keep reloading that page, do the CFID/CFTOKEN values change?

     

    By the by, what browser/version are you using?

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 16, 2014 8:50 AM   in reply to partTimeCrazy

    My bad, I meant to type <cfdump> not <cfoutput> (yeah, you cannot output complex objects).

     

    But it does sound like you're having an issue with CF-related login functionality.  Your session information staying put shows that your browser is accepting the cookie information, and it is persisting across requests.  That is good.  But it sounds to me like your issue now has to do with using CF's login  (or are you manually just setting data into the Session scope and assuming that is a "logged in" status?)

     

    You state the page you had create had "All the sessions listed", but it should only be showing 1 session's worth of data.  A session is equivalant to your cookie's data from the server side.  For example.

     

    CFID of 1 = User A's session scope data

    CFID of 2 = User B's session scope data

    etc.

     

    Of course, that's an oversimplification of the process.  CF uses the combination of CFID/CFTOKEN to determine this.

     

    I'm assuming you've placed data into the SESSION scope, and then are saying that after 10 minutes, this data no longer shows, and all you see are the CFID/CFTOKEN, etc?  Is that correct?  If that is the data you see, are the CFID/CFTOKEN still the correct values?  (ie, not changed)

     

    If that's true, then the issue is you're executing code which is "Logging you out" (but not messing with your actual session at all).  In this event, sure, your session scope is losing variables in it, and the end result is you are seen as being logged out of your app, but the actual session is not being "rotated" (old expires and you're issued a new one).  Please verify this information before moving on.  It almost sounds to me like you have possible faulty logic that is executing and "logging you out", even though the session is still the same.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 17, 2014 12:31 AM   in reply to partTimeCrazy

    partTimeCrazy wrote:

     

    ... Also the cookie timeout is set to 20 minutes, could that be part of the issue

    Perhaps. I would set it to 1440 minutes (1 day), to be on the safe side.

     

    ... 'Disable updating ColdFusion internal cookies using ColdFusion tags/functions' but i'm not sure what that means.

    Checking that option is a security measure. If you do, the server will disallow any attempt to update cookies by means of functions or tags like cfcookie and cfheader.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 17, 2014 12:43 AM   in reply to partTimeCrazy

    partTimeCrazy wrote:

     

    the problem seems to be that after i log in i set a session variable called userID and if that userID isnt defined you have to log in again but i am still using the site so why do I have to log in again after 45minutes? shouldnt it only log me out if i'm not using the site for 45 minutes or more?

    The login framework is distinct from sessions. To connect the two, use the attribute loginStorage="session" in the cfapplication tag.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 17, 2014 2:33 AM   in reply to partTimeCrazy

    partTimeCrazy wrote:

     

    one question though how does coldfusion know what is login information to store it in the session?

    Ah, I can see where this is coming from. You said earlier,

     

    after i log in i set a session variable called userID and if that userID isnt defined you have to log in again but i am still using the site so why do I have to log in again after 45minutes? shouldnt it only log me out if i'm not using the site for 45 minutes or more?

    Remember the distinction between login and sessions that I mentioned? This is where it comes into play.

     

    Login and session do not necessarily have to have the same timeout. A session may outlive a login. Imagine a user being logged in, to perform security-conscious activities on a site, but then continuing with the same session after having been logged out.

     

    You should use the login framework, not sessions, to verify whether a user is logged in. I will assume you are using the cflogin and cfloginuser tags for login. See the documentation on cflogin for details on how to implement the tag.

     

    <!--- Login timeout = 2700 seconds = 45 minutes --->

    <cflogin idletimeout="2700">

    <cfloginuser name="xyz" password="123" roles="admin">

    </cflogin>

     

    This code instructs ColdFusion to log the user out if he is idle for 45 minutes. Let us then suppose that the user continues to be active. Suppose also that you use the attribute loginStorage="session" in the cfapplication tag.

     

    Then ColdFusion will run the cflogin tag the first time, but will skip it on subsequent occasions. ColdFusion will continue skipping it until one of 2 things happens: either it processes the cflogout tag or the session times out (remember that the session stores the login).

     

    As long as the user is logged in, the function getAuthUser() will return "xyz". When the user is no longer logged in, the function returns an empty string. The following is therefore a more accurate login test:

     

    <cfif trim(getAuthUser()) is not "">

    <!--- Then user is logged in --->

    </cfif>

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 17, 2014 6:53 AM   in reply to BKBK

    Sounds like BKBK rounded up this issue pretty well.  Once we realized the issue here isn't session timeout, but premature logout, I think what he said will hit the problem on the head.  Hope to hear that's true, but if not, keep firing out questions.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points