Copy link to clipboard
Copied
Does someone knows if there is a limitation with Chrome about create variable session when the domain name is long?
For example I have domain like this one
http://www.abcdefghijklmnopqrstuxyz12345678.com.mx/
I have my index with user login and when I validate the account If it is correct I create the variable session and I do a cflocation to the user home page.
<CFSET SESSION.AuthCte = StructNew()>
<CFSET SESSION.AuthCte.IsLoggedIn = "Yes">
<cflocation url="userhome.cfm" addtoken="no">
But the userhome.cfm detects that the SESSION.AuthCte.IsLoggedIn variable is not defined.
If i use the IP instead of domain name it works.
It works too if I put addtoken="yes".
If I use the IE browser with the domain name it works.
Regards!
Copy link to clipboard
Copied
Old article, but worth a read: http://helpx.adobe.com/coldfusion/kb/missing-session-variables-using-cflocation.html
Copy link to clipboard
Copied
I have a number of questions. What is your ColdFusion version? Do you use Application.cfm or Application.cfc? Could you show us the code that sets up the application, that is, the code for applicationtimeout, sessiontimeout, setClientCookies, etc.? Do you set the session cookies manually, for example, using the cfcookie tag?
Copy link to clipboard
Copied
Hi BKBK,
I'm using CF10 and aplicaction.cfc
<!--- Define the application settings. --->
<cfset THIS.name= "GuarderiasGMX2"/>
<cfset THIS.applicationTimeout = createTimeSpan( 0, 1, 0, 0 ) />
<cfset THIS.sessionManagement = true />
<cfset THIS.sessionTimeout = createTimeSpan( 0, 1, 0, 0 ) />
I don't use cookies to set the session. I only use cfcookie for kill the session on the application.cfc when the user sign out.
<cffunction
name="onRequestStart"
access="public"
returntype="boolean"
output="false"
hint="I initialize the page request.">
<!--- Define the local scope.--->
<cfset var local = {} />
<!--- --------------------------------------------- --->
<!--- --------------------------------------------- --->
<!---
Check to see if we killed the session timeout in the
psuedo constructor. If we did, we can / should now
kill the cookies for the current session and then
redirect such that the user can get their new session.
--->
<cfif structKeyExists( url, "killSession" )>
<!---
Clear all of the session cookies. This will
expire them on the user's computer when the
CFLocation executes.
--->
<cfloop
index="local.cookieName"
list="cfid,cftoken,cfmagic">
<!--- Expire this session cookie. --->
<cfcookie
name="#local.cookieName#"
value=""
expires="now"
/>
</cfloop>
<!---
Redirect back to the primary page (so that we dont
have the killSession URL parameter visible).
--->
<cflocation
url="index.cfm"
addtoken="false"
/>
</cfif>
Regards
Copy link to clipboard
Copied
I cannot imagine that this is caused by the length of the domain name. What Tribule says is correct. It is a general rule that you should not write session variables followed by a cflocation on the same page.
The expected behaviour of the cflocation tag is not only to redirect the browser to the new page, but also to instruct ColdFusion to stop executing the current page. So it can happen that the session setting fails to 'stick'.
The error is a blessing in disguise. It tells you your current login framework needs to be improved. That is just my opinion, of course.
To start with, you should never have to kill sessions to log a user out. There is a special tag for that, cflogout. To implement this, replace the code <cfif structKeyExists( url, "killSession" )> with <cfif structKeyExists( url, "logout" )>. Then create the page logout.cfm and put <cflogout> in it. You may optionally add text like <h3>You have logged out.</h3> to it, and a link that points to the login page.
If, after testing for login, the validation is succesful, use <cflogin><cfloginuser name="xxx" password="yyy" roles="z"></cflogin> to log the user in. Once the user is logged in, the ColdFusion function getAuthUser() will contain the value of the name attribute of the cfloginuser tag, for example, xxx in this example.
By default, getAuthUser() returns an empty string. You can therefore use it to test whether or not the user is logged in.
You now have much neater login logic. If the current page is index.cfm and getAuthUser() is non-empty, for example, then ColdFusion does a cflocation to userhome.cfm. If getAuthUser() is an empty string, then ColdFusion includes index.cfm.
I should add that the best place for this code is onRequestStart. Furthermore, you can store the login information in the session scope. To do so, set this.loginStorage="session" in Application.cfc. There then is the connection between session and login.
Feel free to return here with any questions you may have. Happy coding!
Copy link to clipboard
Copied
The session not setting correctly on a page with a cflocation has been
fixed in CF7 and above, I believe.
Copy link to clipboard
Copied
@DanWilson, I would agree with you. (Though I cannot remember when the fix occurred). I expect the settings sessionManagement and sessionTimeout to be sufficient to maintain the session.
However, why do some developers continue to see such issues? Can you puzzle out why, in this case, sessions are maintained with IP address, but not with domain name? Why the application fails on Chrome, but works as expected on Internet Explorer?
While I do not believe there to be a bug, I do believe your code will be open to side-effects if you write session variables, then do a cflocation without token on the same page. By side-effect I mean any underlying requests, threads or processes that can end the current session or begin a new one. The cflocation opens Application.cfc, for sure, and, perhaps, a can of worms besides.
Copy link to clipboard
Copied
Thanks, I will improve my authentication like you said.
regards.