CFID and CFTOKEN changes from page to page

It's not entirely clear whether this is sorted or not, but in case it's not or for future reference, I had this issue the other week. Turned out that Client Management in CFAdmin was still set to Registry, and the user CF was running as did not have access to the Registry, hence every page hit got a new ID.

Changed it to use a database for Cfclientstore, job done.

Are you having issues with client variables or session variables? If

you are not using client variables in your site you should turn them

off to simplify the troubleshooting. I see many sites with client

variables turned on, but very few sites actually use them.

-Mike Chabot

Also realize that the Browser and it's settings can affect the generation of CFID and CFTOKEN values.

These values are, usually, set as cookie values.  IF the browser, or anything between the browser and the server (virus|malware interceptors, proxy servers, etc) prevent these cookies from being saved and returned to the server with future requests, the server will generate a new set of values and return them to the client.

When diagnosing this type of difficulty one must follow the requests completely from one end of the conversation to the other... application server all the way to the client browser and back.

Session variables are associated with the browser using cookies, by default. So, it sounds to me like either the cookies aren't being set by the server, or they're not being returned by the browser. You can use a tool like Fiddler2 or HTTPWatch with IE to view HTTP traffic.

If the cookies aren't being set by the server, you may have turned that functionality off in your CFAPPLICATION tag (Application.cfm) or application properties (Application.cfc). If the cookies aren't being returned by the browser, you may have some settings in IE preventing this.

If you're using J2EE sessions, as someone else mentioned, you should see a JSESSIONID token instead. However, I don't think you'd see CFID and CFTOKEN at all in that case.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

When using J2EE session, the CFID and CFTOKEN will still show up in the

debugging output, CF just ignores them in favor of the JSESSIONID.

Thanks,

Eric Cobb

ECAR Technologies, LLC

http://www.ecartech.com

http://www.cfgears.com

We're not using J2EE session variables. The CFAPPLICATION tag is set properly. The session variables are being set and the admin page is being shown with links to the admin pages.  However, as soon as you click one of the links the session variables are lost.  Even if you go up to a drop down menu and click on something totally unrelated the session variables are lost on the next page.  We have a security cfc returning the user/admin to the logon screen as soon as they're lost. Something in the browser, server, or firewall is messing this all up.  Ideas?

FSUKXAZ wrote: Something in the browser, server, or firewall is messing this all up.  Ideas?

Fairly likely, yup.  Only idea I can think of is to track down what is "messing this all up."  Since you earlier said that this only happend with a subset of all the users, I would start with what is unique about those users.  Most likely their browsers and then their client machine.  Confirm that they are getting and returning the cookies.  If that does not pan out, start working back towards the server until you find what is causing the problem.

I suggest you use a tool like Fiddler2 or HTTPWatch to see if the server is sending the cookies, and if browser is returning them. Your browser may be ignoring the cookies altogether. Since you're using IE, you might also check your security settings in IE.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

If it's IE only, you may also want to look at what else you have open in

the browser (if anything). We ran into a problem once where Outlook Web

Access kills all authenticated sessions in IE 8. http://bit.ly/LxQF1

Thanks,

Eric Cobb

ECAR Technologies, LLC

http://www.ecartech.com

http://www.cfgears.com

Dave, we cannot use any tools like that.  We maintain these sites on classified networks and don't have permissions to download anything at all. Also, the servers are at remote locations. Lastly, we have no access and no control of security settings in IE. If that's an issue I can submit a ticket, but I would almost have to provide the solution to the people who do that work here on base. And again, everything works fine for us on another network running the same site and same code.

ilssac, you misunderstood. The admins are all users with vaying degree's of access.  Less than 20 people are in the total group. We all are the admins and this effects everyone in the group.  To be precise, that has nothing to do with the Session variables not persisting from page to page.

Good luck, then!

But seriously, if you can't use tools to do your job, you're kind of screwed. But there's probably someone in that environment who can use those tools - maybe not installing downloads from the internet, but a network administrator who has a traffic monitor and can view the requests and responses.

As for looking at IE, are you saying you can't view security settings? They might be grayed out, but you should be able to look at them. Are requests passed through a proxy server? You might be able to get the manager of the proxy server to let you view request traffic.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

But seriously, if you can't use tools to do your job, you're kind of screwed. But there's probably someone in that environment who can...

Ha ha!  Welcome to Kevin's and my world Dave!  Yeah, and the ones who can either don't care, or more importantly consider our group and our division a lower priority. We work in a constantly changing environment, and we're directly supporting the war fighter. Somehow we've been able to navigate through this sea of BS here for 4 years and actually get some quailty work done.  A good chunk of our time isn't coding, but is finding out ways around problems and coming up with solutions that aren't ideal but are fast, and in some crazy way, get the job done.

Oh, and another thought. You could log requests to CF, and then you could see if the requests contain the session cookies. Use GetHttpRequestData to read the appropriate headers.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Oh, and another thought. You could log requests to CF, and then you could see if the requests contain the session cookies. Use GetHttpRequestData to read the appropriate headers.

This is a good idea.  We're going to try that.   I'll post the final solution when we get it. Thank you for your help!

Kevin Hausman wrote: IE issue?

IE or IE configuration are two real possibilities, and most definitly worth starting with.

But there are also other causes between the browser and the server that could be stripping the cookies.  So if the browser does not pan out, start looking at those.  I.E. Anit-spam|malwar tool, proxies, etc.