Problem with session and long domain name in Chrome

Hi BKBK,

I'm using CF10 and aplicaction.cfc

<!--- Define the application settings. --->

<cfset THIS.name= "GuarderiasGMX2"/>

<cfset THIS.applicationTimeout = createTimeSpan( 0, 1, 0, 0 ) />

<cfset THIS.sessionManagement = true />

<cfset THIS.sessionTimeout = createTimeSpan( 0, 1, 0, 0 ) />

I don't use cookies to set the session. I only use cfcookie for kill the session on the application.cfc when the user sign out.

<cffunction

name="onRequestStart"

access="public"

returntype="boolean"

output="false"

hint="I initialize the page request.">

<!--- Define the local scope.--->

<cfset var local = {} />

<!--- --------------------------------------------- --->

<!--- --------------------------------------------- --->

<!---

Check to see if we killed the session timeout in the

psuedo constructor. If we did, we can / should now

kill the cookies for the current session and then

redirect such that the user can get their new session.

--->

<cfif structKeyExists( url, "killSession" )>

<!---

Clear all of the session cookies. This will

expire them on the user's computer when the

CFLocation executes.

--->

<cfloop

index="local.cookieName"

list="cfid,cftoken,cfmagic">

<!--- Expire this session cookie. --->

<cfcookie

name="#local.cookieName#"

value=""

expires="now"

/>

</cfloop>

<!---

Redirect back to the primary page (so that we dont

have the killSession URL parameter visible).

--->

<cflocation

url="index.cfm"

addtoken="false"

/>

</cfif>

Regards

I cannot imagine that this is caused by the length of the domain name. What Tribule says is correct. It is a general rule that you should not write session variables followed by a cflocation on the same page.

The expected behaviour of the cflocation tag is not only to redirect the browser to the new page, but also to instruct ColdFusion to stop executing the current page. So it can happen that the session setting fails to 'stick'.

The error is a blessing in disguise. It tells you your current login framework needs to be improved. That is just my opinion, of course.

To start with, you should never have to kill sessions to log a user out. There is a special tag for that, cflogout. To implement this, replace the code <cfif structKeyExists( url, "killSession" )> with <cfif structKeyExists( url, "logout" )>. Then create the page logout.cfm and put <cflogout> in it.  You may optionally add text like <h3>You have logged out.</h3> to it, and a link that points to the login page.

If, after testing for login, the validation is succesful, use <cflogin><cfloginuser name="xxx" password="yyy" roles="z"></cflogin> to log the user in. Once the user is logged in, the ColdFusion function getAuthUser() will contain the value of the name attribute of the cfloginuser tag, for example, xxx in this example.

By default, getAuthUser() returns an empty string. You can therefore use it to test whether or not the user is logged in.

You now have much neater login logic. If the current page is index.cfm and getAuthUser() is non-empty, for example, then ColdFusion does a cflocation to userhome.cfm. If getAuthUser() is an empty string, then ColdFusion includes index.cfm.

I should add that the best place for this code is onRequestStart. Furthermore, you can store the login information in the session scope. To do so, set this.loginStorage="session" in Application.cfc. There then is the connection between session and login.

Feel free to return here with any questions you may have. Happy coding!

The session not setting correctly on a page with a cflocation has been

fixed in CF7 and above, I believe.

@DanWilson, I would agree with you. (Though I cannot remember when the fix occurred). I expect the settings sessionManagement and sessionTimeout to be sufficient to maintain the session.

However, why do some developers continue to see such issues? Can you puzzle out why, in this case, sessions are maintained with IP address, but not with domain name? Why the application fails on Chrome, but works as expected on Internet Explorer?

While I do not believe there to be a bug, I do believe your code will be open to side-effects if you write session variables, then do a cflocation without token on the same page. By side-effect I mean any underlying requests, threads or processes that can end the current session or begin a new one. The cflocation opens Application.cfc, for sure, and, perhaps, a can of worms besides.

Thanks, I will improve  my authentication like you said.

regards.