6 Replies Latest reply on Oct 19, 2007 3:19 AM by Grizzly9279

    Mysterious Cookie / Session Problem

      I'm totally stumped!

      Some users are having a problem with our site because CF can't seem to maintain the session. The users keep saying
      their browsers are set to accept cookies but CF, for some reason, can't read them. I am having a hard time diagnosing
      the problem because I can't recreate it. The website is accessed from two domains and the problem is only encountered
      when someone tries to place something in the shopping cart.

      The domains are:

      One user was kind enough to spend some of his time helping me. Here's what we have so far...

      This particular user has Safari on a Mac (we've also received complaints from users with IE 6)
      He verified his browser is set to accept cookies and even sent me a screenshot...
      Screenshot 1 - Cookies in the Safari Browser

      I had the user browse to a test page that just dumps out the cookie structure using the cfdump tag.
      The request sent to the webserver included the proper cookies.
      Here is part of the IIS log file:

      Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X;+en)+AppleWebKit/522.11.1+(KHTML,+like+Gecko)+V ersion/3.0.3+Safari/522.12.1

      cs(Cookie): TESTCOOKIE=Accepts%20cookies;+CFID=8270508;+CFTOKEN=17158764;+__utma=63962928.252568895.1 191608199.1191608199.1191608199.1;+__utmc=63962928;+__utmz=63962928.1191608199.1.1.utmccn= (direct)|utmcsr=(direct)|utmcmd=(none);+SHOPPINGCARTID=DD899Y743NM;+__utmb=63962928

      You can see that IIS received the proper cookie information. However, a screenshot of the page reveals that ColdFusion
      doesn't see the cookies...
      Screenshot 2 - Dump of Cookie Structure in Safari

      I accessed the page from Firefox on a Windows box and every thing worked just fine...
      Here's part of the IIS log from my request...

      Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 7

      cs(Cookie): __utmz=63962928.1191608834.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);+__utmb=6396 2928;+__utma=63962928.231190015.1191608834.1191608834.1191610125.2;+CFID=8271468;+CFTOKEN= 89846209;+TESTCOOKIE=Accepts%20cookies;+__utmc=63962928;+SHOPPINGCARTID=GV872Z524NM

      Here's my screenshot:
      Screenshot 3 - Dump of Cookie Structure in Firefox

      I did notice that the cookie strings in the IIS log files were in a different order. I don't know if that might have something to
      do with it.

      So anyone have some insight or suggestions?

      I've got a couple of test pages if anyone wants to give it a try. I'm hoping a couple of you have Safari on a Mac and can give
      me some feedback.

      If you visit the homepage first you'll get a couple of other cookies (TESTCOOKIE, SHOPPINGCARTID).
      Here's a link to the cookie test page (courtesy Ben Nadel, Thanks Ben!)
      Cookie Test Page

      And here's a link to the page that dumps the cookie structure...
      Dump of Cookie Structure

      Thanks in advance for any help with this!!!

      Edit: By the way, I had the Safari user delete the cookies in his browser a number of times. Each time he returned to the
      site, the cookies were written properly to the browser. I also had him try both the .com address and the .co.uk address.
      You can see both sets of cookies in the first screenshot above.

        • 1. Re: Mysterious Cookie / Session Problem
          Level 7
          You have done some good analysis and testing there so hopefully you can
          get an answer. I think you may have already covered and ruled out some
          of these potential problems, but I will list them so you can be sure.

          As well as the browser itself, some anti-spam/advertising add on
          software will block/scrub/eliminate cookies.

          Additionally firewalls and proxy servers can affect this issue.

          Your multiple domains may be a factor in this. That one of these agents
          is disregarding the cookie because it considers it to be from a
          different source.

          • 2. Re: Mysterious Cookie / Session Problem
            Grizzly9279 Level 1
            A few questions here:

            1) How is your <cfapplication> tag set up? Can you provide a code snippet?
            2) Are you using client vars? If so, where are you storing them (registry ,db, etc)
            3) Are you using the <cfcookie> tag anywhere? Or are you letting the <cfapplication> tag take care of everything?

            One side-note: does your site use pop-up windows at all? I've seen pop-up blocker software (such as Yahoo) actually destroy/lose in-memory cookie data when opening a pop-up window that it actually intended to block. I was only able to reproduce this a year or two ago with very specific versions of Yahoo pop-up blocker (later versions appeared to fix the bug)
            • 3. Re: Mysterious Cookie / Session Problem
              sws Level 1
              My firm inherited this app. Initially there was no Application.cfm file. A "ShoppingCartID" cookie was set that corresponds
              to records in a database table. I added an Application.cfm file with the following...
              <cfapplication name="NottingHill" sessionmanagement="YES">

              I've since changed it to...
              <cfapplication name="NottingHill" sessionmanagement="YES" setclientcookies="NO">
              and I set the CFID/CFTOKEN cookies manually so they are written to browsers as "session cookies" so they expire when
              the browser closes.

              I don't think the problem lies with ColdFusion's session management. Keep in mind... THE APPLICATION WORKS.
              (Except, of course, for the times when it doesn't )

              Every time someone tries to add a item to the shopping cart, I check for a cookie that was set on a page prior. (Every item
              needs to be customized before adding it to the shopping cart so that's when I create my test cookie.) If the test cookie
              doesn't exist when they add the item to the cart, they are redirected to the homepage where they are alerted that cookies
              are required to use the site.

              Here's the thing... Everyone that has called to complain says they have cookies enabled. In the IIS logs, I can confirm that,
              sure enough, every time my cookie error has been thrown, the HTTP request has included the proper cookies. That is,
              YES, the cookies were set on the client's browser and YES the cookies were included in the request because they exist in
              the webserver's log. (That is, they weren't scrubbed by a proxy server or software on the client; they actually reached it to
              the webserver.)

              I believe that, for whatever reason, IIS is not passing the cookies to ColdFusion OR ColdFusion cannot properly parse the
              cookies that the webserver is handing off to it. I don't know exactly how it works behind the scenes but I do believe the
              problem lies between ColdFusion and the webserver.

              In the last week the error has been thrown for 9 unique IP addresses.
              2 Mac Safari
              1 IE 7 Vista
              2 IE 7 XP
              4 IE 6 XP

              I've added some more changes to the site today. Now, if my cookie is not detected, I redirect to some diagnostic code
              (based on Ben Nadel's code again) . The diagnostic code redirects to itself a few times and checks to see if the CFID /
              CFTOKEN values have changed. The result and other CGI variables are written to a database log and emailed to me then
              the script redirects back to the home page and alerts the user that cookies couldn't be detected.

              I'll let you guys know what I find. In the meantime, someone give me a reality check. Is my logic sound as far as what I
              think is wrong? (i.e. the problem lies between CF and IIS and not between the browser and IIS)
              • 4. Re: Mysterious Cookie / Session Problem
                Grizzly9279 Level 1
                It's a shot in the dark, but I'd seriously recommend setting "setclientcookies" to "YES". All sites that I've worked on have done this, and it is still very possible to set "in-memory" cookies (such that they expire immediately when the browser is closed)
                • 5. Re: Mysterious Cookie / Session Problem
                  sws Level 1

                  Originally posted by: Grizzly9279
                  It's a shot in the dark, but I'd seriously recommend setting "setclientcookies" to "YES". All sites that I've worked on have done this, and it is still very possible to set "in-memory" cookies (such that they expire immediately when the browser is closed)

                  Thanks Grizz,
                  I'm pretty sure if you don't specify setClientCookies, it defaults to Yes regardless. I just ran a test to verify this; the cookies are written.

                  At any rate, for my problem, there hasn't been a single instance that I could verify where the cookies weren't written to the
                  client. If I set my browser to block cookies altogether I can recreate what happens to the users that have complained.
                  However, when I look at the IIS webserver logs, there is no http cookie string included from my request (which is
                  expected). This is not what happens in the other instances. In the users' instances, the http cookie string exists and
                  contains the correct cookie variables. ColdFusion doesn't recognize any cookie in this http request. I'm wondering if one
                  of the Google Analytics cookies (prefaced by ___utm...) is somehow malformed. Wonder if this would cause ColdFusion
                  to just ignore the entire cookie string.

                  • 6. Re: Mysterious Cookie / Session Problem
                    Grizzly9279 Level 1
                    Well, for now, I'd leave "setClientCookies" on and see if your problem mysteriously disappears (e.g...users top calling in complaining)

                    I highly doubt Google Analytics (Urchin) cookies would have anything to do with it; it's a fairly ubiquitous tracking platform. You never know though....

                    One other thing comes to mind: have you been able to get a sense of exactly how long these users are on the site before this happens? What do your session timeout settings look like?

                    You can control the ColdFusion session timeout settings via the CFADMIN, or from within the <cfapplication> tag itself. One thing to be cautious of however; JRun also has it's OWN timeout setting that you could be battling with.

                    The /WEB-INF/web.xml file allows you to configure timeout settings, and you can read more on that here:

                    But what I'm getting at is, if the ColdFusion timeout settings are set to a higher value than the JRun session timeout settings, than you can end up with some rather strange lost session behavior. If not specified, the JRun session timeout should default to 30 minutes. I can't recall what the ColdFusion session timeout is set to by default.

                    In any event, I've run into a situation before where we had set our ColdFusion timeouts to 45 minutes, and the JRun timeouts were left at the default 30 minutes. If a user waited ~31+ minutes between clicks, we'd see some rather nasty error messages in the JRun logs, and I believe the user got dumped and assigned a new session.

                    Also, do you know if you're using J2EE session vars? Is your site hosted in a ColdFusion cluster? If so, we should review your cluster settings. If "sticky sessions" are not enabled, you could find users getting flip-flopped betwen cluster nodes, and session-replication could be failing (just one possibility).

                    Lots of stuff to think about...there's never one easy answer is there? :)