• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Coldfusion session timing out too soon?

Explorer ,
Jan 14, 2014 Jan 14, 2014

Copy link to clipboard

Copied

I have coldfusion 10 installed as our main server. I am using sessions to store some information and have set sessiontimeout=#CreateTimeSpan(0,0,45,0)# in the application file but for some reason the session is timing out way before 45 mins - around 10 mins. Is there a reason for this? I thought having the timeout in the application file would overwrite anything set in the coldfusion admin. Is this not true?

Thanks

TOPICS
Server administration

Views

7.8K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 14, 2014 Jan 14, 2014

Copy link to clipboard

Copied

Check the CF Admin.  The values set there can trump per-application settings.  So if the CF Admin states that the maximum size a session can be is 10 minutes, your app can tell CF to use more, but CF will only allow it to be as large as what's set in the Admin.

SERVER SETTINGS > MEMORY VARIABLES > MAXIMUM TIMEOUTS > SESSION VARIABLES

Also, FYI, you do not need to pound off the createTimespan() Built-in Function when you set it, ie, this is perfectly fine:

<cfset this.sessionTimeout = createTimespan( 0,0,45,0 ) />

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 14, 2014 Jan 14, 2014

Copy link to clipboard

Copied

Thanks for the tip but..

I've had a look in the admin and the maximum timeout for the session variable is currently set at 2 days and the default timeout is set at 45 minutes so shouldnt that work just by default?

The full line of code i am using is:

<cfapplication name="xxxxxx" sessionmanagement="yes" setclientcookies="yes" sessiontimeout=#CreateTimeSpan(0,0,45,0)# />

Also the cookie timeout is set to 20 minutes, could that be part of the issue or could there be something else that is causing the problem? The setting i am adding is in an application.cfm file rather than application.cfc as it was coming from an old version of coldfusion, also HTTPOnly is checked and so is '

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 14, 2014 Jan 14, 2014

Copy link to clipboard

Copied

Oh.  I don't use the <cfapplication> tag.  In its implementation, you should not omit the encasing quotes. ColdFusion interprets values as best as it can, but just to be safe that values get translated and not lost in syntax, it would read ...sessiontimeout="#createTimeSpan( 0,0,45,0 )#" />

Personally, I use application.cfc, where you simply set the sessionManagement variable of the 'this' scope in the pseudo-constructor area (the areas outside of functions), ie:

<cfset this.name = 'myAppName' />

<cfset this.sessionManagement = true />

<cfset this.sessionTimeout = createTimeSpan( 0,0,45,0 ) />

...

<cffunction name="onApplicationStart"...

What do you mean by cookie timeout?  If session management is enabled, then CF will attempt to set a cookie on the client machine which is subsequently sent back to CF on each request in order to maintain the session state.  Some browsers will let you inspect those cookies.  You could clear your cookies, make a request (creating and setting a new session cookie) and then inspect it to see if the timeout is set to 20 minutes from now or the intended 45.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 15, 2014 Jan 15, 2014

Copy link to clipboard

Copied

i've never set up an application.cfc so i'm not sure about the differences. (I was using coldfusion 7 and upgraded to 10).

I changed the cookie timeout under 'Session Cookie Settings' in the coldfusion admin to be 45minutes and it is keeping me logged but after the 45 minutes it logs me out even if I am actually using the site.

bit confused to be honest!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 15, 2014 Jan 15, 2014

Copy link to clipboard

Copied

What are all your application settings?  I'm wondering if you're setting a cookie at a certain path under the site and then navigating to areas outside that path (where the cookie won't exist).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 15, 2014 Jan 15, 2014

Copy link to clipboard

Copied

there isnt anything like that in the application.cfm just the

<cfapplication name="xxxxxx" sessionmanagement="yes" setclientcookies="yes" sessiontimeout=#CreateTimeSpan(0,0,45,0)# />

everything else is about datasources, titles etc.

The thing is that the above code used to work for coldfusion 7 and comparing the two admins the only difference I can see is that under Server Settings > Client Variables where you select default storage mechanism for Client Storage on coldfusion 10 it is set to Cookie but on coldfusion 7 it is set to Registry. Could that be part of the problem as well?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 15, 2014 Jan 15, 2014

Copy link to clipboard

Copied

SESSION scope is different from the CLIENT scope.

Is your site using subdomains?  If so, you'll need to set the setDomainCookies attribute to true (again, in CFC we use this.setDomainCookies, but if you're still going to use the old application.cfm, see if there's a respective attribute for the <cfapplication> tag)

Try what I had suggested earlier. Get a good browser like Chrome, and inspect the CFID cookie that is set by ColdFusion.  See what its expiration is set to.  Is it 20 minutes from now or 45?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

I've had a look using firebug and the CFID expiration seems to be coming from the 'Cookie Timeout' option under Session Cookie Settings. So does that mean after 45 minutes the cookie will expire and I will have to log in whether I am using the site or not? How do I prevent the user having to re-login if they are still using the site?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

The web is stateless.  For example.

Your PC > Makes a request to > Web Server

Web Server: Hi!, you have no cookie, this is your first visit here, here's your file.

Your PC > Makes another request to > Web Server

Web Server: Hi! you have no cookie, this is your first visit here, here's your file (even though this is your second visit to the site)

Thing is, without a cookie being set onto your PC (and subsequently provided to the server on each request, the Server has no idea who you are.  With cookies/sessions:

Your PC > Makes a request to > Web Server

Web Server > Sends a Cookie to > Your PC

Web Server: Hi, you now have a cookie, this is your first visit here, here's your file.

Your PC > Makes another request to > And sends its cookie it was previously given to > Web Server

Web Server > Checks to ensure cookie's related session data is available > Verified

Web Server: Hi, you've been here before, and I know who you are.  Here's your file.

Web Server > Updates the session timeout to be 45 mins from this point to > Your PC

Then, if you don't make another request within that timeout, when you make another request to the server, your session "Timed out", and the Server issues you a new cookie.

If Firebug says the cookie you have is being set to expire 45 minutes from when you request it, then the cookie is being set properly.  I notice you didn't answer whether your site is using subdomains.  Is this the case?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

sorry forgot to say, no it isnt using subdomains.

if i read what you are saying correctly, then as long as I make a page request to the server within 45minutes the cookie and the session should stay active?

but what seems to be happening is that even if I make page requests within the 45 minutes the session is still timing out and I have to re-log in. which seems odd to me, no?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

Yes. We've confirmed the cookie is being set with the proper value. Now we just have to troubleshoot the issue where your session is not staying maintained before that timeout value.

For clarification, you're repeatedly saying that you've been "logged out", but that isn't the problem we're troubleshooting, right?  We're looking as to why your session isn't being maintained.  "Logging in" is the process of going through authentication where you verify who you are to the server, it authenticates those credentials, and then can "log you in", often storing your information into the session.  The problem with the latter is that if you have code somewhere that is terminating the session or performing log out operation via improper misfire, this is different than a session that just seems to be lost at some point in requesting pages that are doing little more than presenting data.

Since you're not using subdomains, we don't have to worry about you navigating to other areas of the same domain.  Let's try this:

Make a page that just outputs this:

<cfoutput>#session#</cfoutput>

If you keep reloading that page, do the CFID/CFTOKEN values change?

By the by, what browser/version are you using?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

the problem seems to be that after i log in i set a session variable called userID and if that userID isnt defined you have to log in again but i am still using the site so why do I have to log in again after 45minutes? shouldnt it only log me out if i'm not using the site for 45 minutes or more?

the code you had didnt work so i used cfdump for the session and continually reloading the page the cfid/cftoken values dont change at all and i'm using firefox (27).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

also the page I was just running did have all the sessions listed but i've left it for about 10mins and now it only shows the cfid, cftoken, sessionID and urltoken

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

My bad, I meant to type <cfdump> not <cfoutput> (yeah, you cannot output complex objects).

But it does sound like you're having an issue with CF-related login functionality.  Your session information staying put shows that your browser is accepting the cookie information, and it is persisting across requests.  That is good.  But it sounds to me like your issue now has to do with using CF's login  (or are you manually just setting data into the Session scope and assuming that is a "logged in" status?)

You state the page you had create had "All the sessions listed", but it should only be showing 1 session's worth of data.  A session is equivalant to your cookie's data from the server side.  For example.

CFID of 1 = User A's session scope data

CFID of 2 = User B's session scope data

etc.

Of course, that's an oversimplification of the process.  CF uses the combination of CFID/CFTOKEN to determine this.

I'm assuming you've placed data into the SESSION scope, and then are saying that after 10 minutes, this data no longer shows, and all you see are the CFID/CFTOKEN, etc?  Is that correct?  If that is the data you see, are the CFID/CFTOKEN still the correct values?  (ie, not changed)

If that's true, then the issue is you're executing code which is "Logging you out" (but not messing with your actual session at all).  In this event, sure, your session scope is losing variables in it, and the end result is you are seen as being logged out of your app, but the actual session is not being "rotated" (old expires and you're issued a new one).  Please verify this information before moving on.  It almost sounds to me like you have possible faulty logic that is executing and "logging you out", even though the session is still the same.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 17, 2014 Jan 17, 2014

Copy link to clipboard

Copied

partTimeCrazy wrote:

the problem seems to be that after i log in i set a session variable called userID and if that userID isnt defined you have to log in again but i am still using the site so why do I have to log in again after 45minutes? shouldnt it only log me out if i'm not using the site for 45 minutes or more?

The login framework is distinct from sessions. To connect the two, use the attribute loginStorage="session" in the cfapplication tag.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 17, 2014 Jan 17, 2014

Copy link to clipboard

Copied

ok i've bumped up the cookie timeout to 1 day and added loginStorage to the application file and i'll see how it goes. one question though how does coldfusion know what is login information to store it in the session?

Also just like to thank you both (Aegis Kleais, BKBK) for taking the time to help. really appreaciated!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 17, 2014 Jan 17, 2014

Copy link to clipboard

Copied

partTimeCrazy wrote:

one question though how does coldfusion know what is login information to store it in the session?

Ah, I can see where this is coming from. You said earlier,

after i log in i set a session variable called userID and if that userID isnt defined you have to log in again but i am still using the site so why do I have to log in again after 45minutes? shouldnt it only log me out if i'm not using the site for 45 minutes or more?

Remember the distinction between login and sessions that I mentioned? This is where it comes into play.

Login and session do not necessarily have to have the same timeout. A session may outlive a login. Imagine a user being logged in, to perform security-conscious activities on a site, but then continuing with the same session after having been logged out.

You should use the login framework, not sessions, to verify whether a user is logged in. I will assume you are using the cflogin and cfloginuser tags for login. See the documentation on cflogin for details on how to implement the tag.

<!--- Login timeout = 2700 seconds = 45 minutes --->

<cflogin idletimeout="2700">

<cfloginuser name="xyz" password="123" roles="admin">

</cflogin>

This code instructs ColdFusion to log the user out if he is idle for 45 minutes. Let us then suppose that the user continues to be active. Suppose also that you use the attribute loginStorage="session" in the cfapplication tag.

Then ColdFusion will run the cflogin tag the first time, but will skip it on subsequent occasions. ColdFusion will continue skipping it until one of 2 things happens: either it processes the cflogout tag or the session times out (remember that the session stores the login).

As long as the user is logged in, the function getAuthUser() will return "xyz". When the user is no longer logged in, the function returns an empty string. The following is therefore a more accurate login test:

<cfif trim(getAuthUser()) is not "">

<!--- Then user is logged in --->

</cfif>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 17, 2014 Jan 17, 2014

Copy link to clipboard

Copied

LATEST

Sounds like BKBK rounded up this issue pretty well.  Once we realized the issue here isn't session timeout, but premature logout, I think what he said will hit the problem on the head.  Hope to hear that's true, but if not, keep firing out questions.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 17, 2014 Jan 17, 2014

Copy link to clipboard

Copied

partTimeCrazy wrote:

... Also the cookie timeout is set to 20 minutes, could that be part of the issue

Perhaps. I would set it to 1440 minutes (1 day), to be on the safe side.

... 'Disable updating ColdFusion internal cookies using ColdFusion tags/functions' but i'm not sure what that means.

Checking that option is a security measure. If you do, the server will disallow any attempt to update cookies by means of functions or tags like cfcookie and cfheader.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation