7 Replies Latest reply on Apr 23, 2014 12:20 AM by BKBK

    Problem with session and long domain name in Chrome


      Does someone knows if there is a limitation with Chrome about create variable session when the domain name is long?


      For example I have domain like this one




      I have my index with user login  and when I validate the account If it is correct I create the variable session and I do a cflocation to the user home page.



      <CFSET SESSION.AuthCte = StructNew()>

                            <CFSET SESSION.AuthCte.IsLoggedIn = "Yes">


      <cflocation url="userhome.cfm" addtoken="no">


      But the userhome.cfm detects that the SESSION.AuthCte.IsLoggedIn variable is not defined.


      If i use the IP instead of domain name it works.


      It works too if I put addtoken="yes".


      If I use the IE browser with the domain name it works.





        • 2. Re: Problem with session and long domain name in Chrome
          BKBK Adobe Community Professional & MVP

          I have a number of questions. What is your ColdFusion version? Do you use Application.cfm or Application.cfc? Could you show us the code that sets up the application, that is, the code for applicationtimeout, sessiontimeout, setClientCookies, etc.?  Do you set the session cookies manually, for example, using the cfcookie tag?

          • 3. Re: Problem with session and long domain name in Chrome
            zamvil Level 1

            Hi BKBK,


            I'm using CF10 and aplicaction.cfc


            <!--- Define the application settings. --->

            <cfset THIS.name= "GuarderiasGMX2"/>

            <cfset THIS.applicationTimeout = createTimeSpan( 0, 1, 0, 0 ) />

            <cfset THIS.sessionManagement = true />

            <cfset THIS.sessionTimeout = createTimeSpan( 0, 1, 0, 0 ) />


            I don't use cookies to set the session. I only use cfcookie for kill the session on the application.cfc when the user sign out.







            hint="I initialize the page request.">




            <!--- Define the local scope.--->

            <cfset var local = {} />




            <!--- --------------------------------------------- --->

            <!--- --------------------------------------------- --->





            Check to see if we killed the session timeout in the

            psuedo constructor. If we did, we can / should now

            kill the cookies for the current session and then

            redirect such that the user can get their new session.


            <cfif structKeyExists( url, "killSession" )>





            Clear all of the session cookies. This will

            expire them on the user's computer when the

            CFLocation executes.








            <!--- Expire this session cookie. --->














            Redirect back to the primary page (so that we dont

            have the killSession URL parameter visible).










            • 4. Re: Problem with session and long domain name in Chrome
              BKBK Adobe Community Professional & MVP

              I cannot imagine that this is caused by the length of the domain name. What Tribule says is correct. It is a general rule that you should not write session variables followed by a cflocation on the same page.


              The expected behaviour of the cflocation tag is not only to redirect the browser to the new page, but also to instruct ColdFusion to stop executing the current page. So it can happen that the session setting fails to 'stick'.


              The error is a blessing in disguise. It tells you your current login framework needs to be improved. That is just my opinion, of course.


              To start with, you should never have to kill sessions to log a user out. There is a special tag for that, cflogout. To implement this, replace the code <cfif structKeyExists( url, "killSession" )> with <cfif structKeyExists( url, "logout" )>. Then create the page logout.cfm and put <cflogout> in it.  You may optionally add text like <h3>You have logged out.</h3> to it, and a link that points to the login page.


              If, after testing for login, the validation is succesful, use <cflogin><cfloginuser name="xxx" password="yyy" roles="z"></cflogin> to log the user in. Once the user is logged in, the ColdFusion function getAuthUser() will contain the value of the name attribute of the cfloginuser tag, for example, xxx in this example.


              By default, getAuthUser() returns an empty string. You can therefore use it to test whether or not the user is logged in.


              You now have much neater login logic. If the current page is index.cfm and getAuthUser() is non-empty, for example, then ColdFusion does a cflocation to userhome.cfm. If getAuthUser() is an empty string, then ColdFusion includes index.cfm.


              I should add that the best place for this code is onRequestStart. Furthermore, you can store the login information in the session scope. To do so, set this.loginStorage="session" in Application.cfc. There then is the connection between session and login.


              Feel free to return here with any questions you may have. Happy coding!

              • 5. Re: Problem with session and long domain name in Chrome
                DanWilson_ Level 1

                The  session not setting correctly on a page with a cflocation has been

                fixed in CF7 and above, I believe.

                • 6. Re: Problem with session and long domain name in Chrome
                  zamvil Level 1

                  Thanks, I will improve  my authentication like you said.



                  • 7. Re: Problem with session and long domain name in Chrome
                    BKBK Adobe Community Professional & MVP

                    @DanWilson, I would agree with you. (Though I cannot remember when the fix occurred). I expect the settings sessionManagement and sessionTimeout to be sufficient to maintain the session.


                    However, why do some developers continue to see such issues? Can you puzzle out why, in this case, sessions are maintained with IP address, but not with domain name? Why the application fails on Chrome, but works as expected on Internet Explorer?


                    While I do not believe there to be a bug, I do believe your code will be open to side-effects if you write session variables, then do a cflocation without token on the same page. By side-effect I mean any underlying requests, threads or processes that can end the current session or begin a new one. The cflocation opens Application.cfc, for sure, and, perhaps, a can of worms besides.