Copy link to clipboard
Copied
Hi all,
My firm recently upgraded to all new CF 10 servers (clean install no upgrade), and we are going through testing before we launch them in production.
I have come across an issue where the sessions are not being maintained across requests.
The application login functionality no longer works at all... testing the same code on CF9 yields expected and desired results.
----------------------------------
To test, I created a folder with an Application.cfc and an index.cfm.
I placed a copy of the folder on the root of both the CF9 and CF10 servers.
Loaded the index.cfm page on each and then just hit the refresh button on the browser.
All the index.cfm page does is dump the session & cookie scopes.
RESULTS
CF9:
- SESSIONID stays the same upon each requestion
- CFID stays the same
- CFTOKEN stays the same
...as expected results
Initial Page Load:
struct | |
---|---|
sessionid | 8430fefbf6988bab4bbc3724627d6a323351 |
urltoken | CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351 |
username | Bill |
struct | |
---|---|
CFID | 64848 |
CFTOKEN | 25813868 |
JSESSIONID | 8430fefbf6988bab4bbc3724627d6a323351 |
Refresh 2:
struct | |
---|---|
sessionid | 8430fefbf6988bab4bbc3724627d6a323351 |
urltoken | CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351 |
username | Bill |
struct | |
---|---|
CFID | 64848 |
CFTOKEN | 25813868 |
JSESSIONID | 8430fefbf6988bab4bbc3724627d6a323351 |
Refresh 3:
struct | |
---|---|
sessionid | 8430fefbf6988bab4bbc3724627d6a323351 |
urltoken | CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351 |
username | Bill |
struct | |
---|---|
CFID | 64848 |
CFTOKEN | 25813868 |
JSESSIONID | 8430fefbf6988bab4bbc3724627d6a323351 |
CF10:
- SESSIONID changes on everye SECOND request
- CFID changes every request
- CFTOKEN changes every request
...not as expected whatsoever
Initial Page Load:
struct | |
---|---|
sessionid | BBEB2834CFE5CABC214714BC9984C35B.cfusion |
urltoken | CFID=2199631&CFTOKEN=87302470&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusion |
struct | |
---|---|
CFID | 2199631 |
CFTOKEN | 87302470 |
JSESSIONID | A8374BAF078DCD9216870113F0A7E32B.cfusion |
Refresh 1:
struct | |
---|---|
sessionid | BBEB2834CFE5CABC214714BC9984C35B.cfusion |
urltoken | CFID=2199791&CFTOKEN=22231763&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusion |
struct | |
---|---|
CFID | 2199791 |
CFTOKEN | 22231763 |
JSESSIONID | BBEB2834CFE5CABC214714BC9984C35B.cfusion |
Refresh 2:
struct | |
---|---|
sessionid | 1C3645A75E85F7AEDAEBA9F90474DF83.cfusion |
urltoken | CFID=2199867&CFTOKEN=96194295&jsessionid=1C3645A75E85F7AEDAEBA9F90474DF83.cfusion |
struct | |
---|---|
CFID | 2199867 |
CFTOKEN | 96194295 |
JSESSIONID | BBEB2834CFE5CABC214714BC9984C35B.cfusion |
WTH???
Here is a copy of my Application.cfc:
/**
@Title "Application.cfc reference in CFScript for Coldfusion 9"
@description "This component includes all Application.cfc methods and variables, set to their default values (if applicable). Please note that default values are not always desirable, and some methods or variables should be modified or removed depending on the situation."
@author "Russ Spivey (http://cfruss.blogspot.com)"
@dateCreated "November 29, 2009"
@licence "This work is licensed under the Creative Commons Attribution 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA."
@Hint "You implement methods in Application.cfc to handle ColdFusion application events and set variables in the CFC to configure application characteristics."
*/
component output="false" {
/* **************************** APPLICATION VARIABLES **************************** */
// The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context.
THIS.name = "Test";
// Life span, as a real number of days, of the application, including all Application scope variables.
THIS.applicationTimeout = createTimeSpan(0, 1, 0, 0);
// Whether the application supports Client scope variables.
THIS.clientManagement = false;
// Where Client variables are stored; can be cookie, registry, or the name of a data source.
//THIS.clientStorage = "registry"; //cookie||registry||datasource
// Contains ColdFusion custom tag paths.
THIS.customTagPaths = "";
// The Google Maps API key required to embed Google Maps in your web pages.
THIS.googleMapKey = "";
// Name of the data source from which the query retrieves data.
THIS.datasource = "";
// Whether to store login information in the Cookie scope or the Session scope.
THIS.loginStorage = "cookie"; //cookie||session
// A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value.
THIS.mappings = {};
// Whether to enable validation on cfform fields when the form is submitted.
THIS.serverSideFormValidation = true;
// Whether the application supports Session scope variables.
THIS.sessionManagement = true;
// Life span, as a real number of days, of the user session, including all Session variables.
THIS.sessionTimeout = createTimeSpan(0, 0, 20, 0);
// Whether to send CFID and CFTOKEN cookies to the client browser.
THIS.setClientCookies = true;
// Whether to set CFID and CFTOKEN cookies for a domain (not just a host).
THIS.setDomainCookies = false;
// Whether to protect variables from cross-site scripting attacks.
THIS.scriptProtect = false;
// A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.
THIS.secureJSON = false;
// The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.
THIS.secureJSONPrefix = "";
// A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found.
THIS.welcomeFileList = "";
// A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator.
THIS.smtpServersettings = {};
// Request timeout. Overrides the default administrator settings.
THIS.timeout = 30; // seconds
// A list of ip addresses that need debugging.
THIS.debugipaddress = "";
// Overrides the default administrator settings. It does not report compile-time exceptions.
THIS.enablerobustexception = false;
/* ORM variables */
// Specifies whether ORM should be used for the ColdFusion application.Set the value to true to use ORM. The default is false.
THIS.ormenabled = false;
// The struct that defines all the ORM settings. Documentation: http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSED380324-6CBE-47cb-9E5E-26B66ACA9E81.html
THIS.ormsettings = {};
// note: THIS.datasource applies to cfquery as well as ORM. It is defined on line 31.
/* **************************** APPLICATION METHODS **************************** */
/**
@Hint "Runs when an application times out or the server is shutting down."
@ApplicationScope "The application scope."
*/
public void function onApplicationEnd(struct ApplicationScope=structNew()) {
return;
}
/**
@Hint "Runs when ColdFusion receives the first request for a page in the application."
*/
public boolean function onApplicationStart() {
return true;
}
/**
@Hint "Intercepts any HTTP or AMF calls to an application based on CFC request."
@cfcname "Fully qualified dotted path to the CFC."
@METHOD "The name of the method invoked."
@args "The arguments (struct) with which the method is invoked."
*/
public void function onCFCRequest(required string cfcname, required string method, required string args) {
return;
}
/**
@Hint "Runs when an uncaught exception occurs in the application."
@Exception "The ColdFusion Exception object. For information on the structure of this object, see the description of the cfcatch variable in the cfcatch description."
@EventName "The name of the event handler that generated the exception. If the error occurs during request processing and you do not implement an onRequest method, EventName is the empty string."
note: This method is commented out because it should only be used in special cases
*/
/*
public void function onError(required any Exception, required string EventName) {
return;
}
*/
/**
@Hint "Runs when a request specifies a non-existent CFML page."
@TargetPage "The path from the web root to the requested CFML page."
note: This method is commented out because it should only be used in special cases
*/
/*
public boolean function onMissingTemplate(required string TargetPage) {
return true;
}
*/
/**
@Hint "Runs when a request starts, after the onRequestStart event handler. If you implement this method, it must explicitly call the requested page to process it."
@TargetPage "Path from the web root to the requested page."
note: This method is commented out because it should only be used in special cases
*/
/*
public void function onRequest(required string TargetPage) {
return;
}
*/
/**
@Hint "Runs at the end of a request, after all other CFML code."
*/
public void function onRequestEnd() {
return;
}
/**
@Hint "Runs when a request starts."
@TargetPage "Path from the web root to the requested page."
*/
public boolean function onRequestStart(required string TargetPage) {
return true;
}
/**
@Hint "Runs when a session ends."
@SessionScope "The Session scope"
@ApplicationScope "The Application scope"
*/
public void function onSessionEnd(required struct SessionScope, struct ApplicationScope=structNew()) {
return;
}
/**
@Hint "Runs when a session starts."
*/
public void function onSessionStart() {
return;
}
}
So did Adobe really ship a broken product??
Here are a list of other people with the same issues:
http://forums.adobe.com/message/5692829
http://forums.adobe.com/thread/1017340
http://forums.adobe.com/thread/1022637
http://forums.adobe.com/thread/1272465
http://forums.adobe.com/message/5696193
https://bugbase.adobe.com/index.cfm?event=bug&id=3572565
http://www.petefreitag.com/item/817.cfm
http://forums.adobe.com/thread/1199835
I have spent several days at this... if I missed some obvious conifiguration I would be upset with myself, but releived it was fixable. As of right now, I can't move my code to this new production environment as logging into the application is not even possible.
Thanks
John.Elkins wrote:
We are not using cflogin...
However, some other login process is apparently involved in the page request. That can start up a new session, if not coded properly.
In fact my guess is that that is what is happening. In any case, this is about whether or not session is maintained. To test this cleanly, you have to exclude all code involved with the login process.
Copy link to clipboard
Copied
Hi John, Although you listed my blog entry as someone who is having this problem, the problems I have seen were resolvable using one of the suggestions in my blog entry. One thing I did notice is that you have THIS.setClientCookies = true; in your Application.cfc but you do not need CF to set the client cookies (CFID and CFTOKEN) since you are using J2EE sessions and are not using client varaibles. So try setting that to false and clear your browser cookies. Does that make any difference. I've taken your Application.cfc and created a index.cfm with dumping session and cookie scopes and I am not seeing the same results as you. The session stays. Do you experience the problem on all browsers or just one, if just one does the problem go away after clearing cookies or not? Can you list the steps you have taken to install and configure CF?
Copy link to clipboard
Copied
Thanks for replying, Peter.
I will re-read the link I included from your site.
As I was researching the issue, I made a collection of links and may have incorrectly included yours.
I am now seeing that a separate application on the same server is apparently holding on to the session as expected.
Another developer, and myself, have tested this scenario on 3 separate physical servers that were setup at the same time.
The servers are Windows 2008 R2 boxes running CF10 with separate websites & dedicated IP's setup in IIS.
So, as a separate route to investigate, could there be an IIS mis-config that may cause this issue? (I know, I am grasping at straws here.)
EDIT: I made the change as you suggested and am still experiencing the same behavior.
* moved other edits to their own thread
Copy link to clipboard
Copied
Test this, it's working
Application.cfc
<cfcomponent>
<cfset this.name = "SessionApp" />
<cfset this.sessionmanagement = "true" />
<cfset this.sessiontimeout = createTimeSpan(0,5,0,0) />
</cfcomponent>
index.cfm
<cfset Session.svar="Adobe">
<cfdump var="#Session#" />
<cfscript>
hostaddress = createObject("java", "java.net.InetAddress").localhost.getHostAddress();
instancename = createobject("component","CFIDE.adminapi.runtime").getinstancename();
</cfscript>
IP Address: <cfdump var="#hostaddress#"><br />
Instane Name : <cfdump var="#instancename#">
Copy link to clipboard
Copied
Hi vishu,
When you saw it's working, do you mean that it is working as expected or exhibiting the same behavior that I am experiencing?
Copy link to clipboard
Copied
It's working as expected. Session ID, CFID, CFTOKEN remains the same everytime you refresh the webpage
Copy link to clipboard
Copied
Thanks for clarifying, vishu.
Copy link to clipboard
Copied
I could not reproduce the behaviour you observe. I copied your code for Application.cfc, word for word. I then created the following file in the same directory:
index.cfm
<cfdump var="#session#">
<cfdump var="#cookie#">
I ran the page, and refreshed it several times. The values of the session and cookie variables stayed the same each time, as expected.
The following likely reasons may explain why you are having the problem and I am not:
1. You are running the original version of ColdFusion 10. Whereas, my version of ColdFusion 10 has all the updates and hot fixes.
2. You have used cflogin - implied by the existence of a username - whereas I have not. If you use cflogin in the pre-ColdFusion-10 way, you might encounter problems with maintaining sessions. That is because Adobe's ColdFusion Team has changed the behaviour of cflogin in ColdFusion 10.
Copy link to clipboard
Copied
Hi BKBK,
Thank you for replying.
We are not using cflogin, but I will read the article you linked to see if there is anything that pops out at me.
Copy link to clipboard
Copied
John.Elkins wrote:
We are not using cflogin...
However, some other login process is apparently involved in the page request. That can start up a new session, if not coded properly.
In fact my guess is that that is what is happening. In any case, this is about whether or not session is maintained. To test this cleanly, you have to exclude all code involved with the login process.
Copy link to clipboard
Copied
ISSUE RESOLVED:
BKBK,
You were correct...
I failed to mention that the application that is dropping the session is also using the Portcullis XSS/SQL Injection prevention script from RIAForge.
It is not listed as being compatible with CF10... removing it has resolved my issue entirely and the sessions are now being maintained.
Thank you all for your responses.
Regards,
John
BKBK wrote:
John.Elkins wrote:
We are not using cflogin...However, some other login process is apparently involved in the page request. That can start up a new session, if not coded properly.
In fact my guess is that that is what is happening. In any case, this is about whether or not session is maintained. To test this cleanly, you have to exclude all code involved with the login process.
Copy link to clipboard
Copied
John.Elkins wrote:
ISSUE RESOLVED:
It's nice to hear! Please kindly mark it as the correct answer. It is bound to help someone else in future.
Copy link to clipboard
Copied
The only difference between the two applications are the following:
- Sessions working application: website loads on normal "http" page and then login is done through "https" & not using a framework
- Sessions not working application: IIS redirect to "https" login occurs while already on "https" & using MG 3
The original test was done by dropping a directory in root called "test"... removing the original application code and replacing the root directory with just the test Application.cfc and index.cfm, and refreshing, produces expected behavior.
Q1: Shouldn't the Application.cfc in the "test" subdirectory override anything in the parent directory?
Q2: Does MG have any known incompatibilities with CF10... a cursory search seems to indicate it doesn't.
Thanks again for the help!
Copy link to clipboard
Copied
Model Glue has no issues with CF10.
I believe some developers (beyond Model Glue users) report issues with
sessions and CF10. Turning on J2EE sessions seems to fix the issue.
DW
John.Elkins <mailto:forums_noreply@adobe.com>
Wednesday, March 12, 2014 3:01 PM
>
Re: CF 10 Clean Install - Sessions Broken
created by John.Elkins <http://forums.adobe.com/people/John.Elkins> in
/ColdFusion/ - View the full discussion
<http://forums.adobe.com/message/6203752#6203752