9 Replies Latest reply on Mar 26, 2014 6:13 AM by BKBK

    has anyone had an issue were ColdFusion session variables never timeout on a server?

    tmike12345

      I am having an issue on one of our production ColdFusion 9 servers where the session variables are never timing out.

       

      I set up a very simple page to make sure I'm not missing something.

       

      Application.CFC page (I tried Application.cfm as well)

      <cfcomponent>

      <cfset This.name = "TestApplication">
      <cfset This.Sessionmanagement=true>
      <cfset This.Sessiontimeout="#createtimespan(0,0,1,0)#">
      <cfset This.applicationtimeout="#createtimespan(5,0,0,0)#">

      <cffunction name="OnApplicationStart">
      <cfsetting showdebugoutput="yes" enablecfoutputonly="No">
      </cffunction>
      <cffunction name="OnRequestStart">
      <cfdump var="#this#">
      </cffunction>
      </cfcomponent>

       

      Index.cfm page

       

      <cfif isDefined("Session.TimeStamp")>
      <cfdump var="#Session#">
      <cfdump var="#Application#">

      <cfoutput>#Session.TimeStamp#</cfoutput>
      <cfelse>
      <cfset Session.TimeStamp=Now()>

      </cfif>

       

      The TimeStamp session variable never times out and once it is set the first time. I can leave the page up for days and it still won't time-out. My maximum session timeout on the server is set to 2 days. The only way to get rid of the session variables is to clear the cookies on the browser.

       

      Has anyone seen this type of issue before?

        • 1. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
          BKBK Adobe Community Professional & MVP

          tmike12345 wrote:

           

          The TimeStamp session variable never times out and once it is set the first time. I can leave the page up for days and it still won't time-out. My maximum session timeout on the server is set to 2 days. The only way to get rid of the session variables is to clear the cookies on the browser.

          You should not expect a custom session variable to timeout. That wont happen because it is contrary to the design of sessions.

           

          What times out is the session itself, rather than a variable in it. However, the setting This.Sessionmanagement=true implies that ColdFusion will always provide a session whenever a user opens a page. So, session 1 may time out, but new session 2 may start. It, too, may later time out if left idle for a while, giving way to new session 3. Whereas, the variable session.timestamp may continue to be defined in session 3, as it once was in session 1 and in session 2.

           

          The most obvious way to verify whether a session has timed out is to check for a change in the system variables session.CFID and session.CFToken. Such a change means the beginning of a new session. That is, of course, one consequence of the end of a session.

           

          You will be glad to know that Application.cfc itself automatically knows when a session has ended. Its onSessionEnd event will fire when a session ends. I have included it in the following suggestions:

           

          <cfcomponent>

          <cfset This.name = "TestApplication">
          <cfset This.Sessionmanagement=true>

          <!--- Session timeout usually set at 20 to 30 minutes (comes from studies on users on the web) --->
          <cfset This.Sessiontimeout="#createtimespan(0,0,20,0)#">
          <cfset This.applicationtimeout="#createtimespan(5,0,0,0)#">

          <cffunction name="OnApplicationStart">
          <!--- A page setting: does not belong here--->

          <!---<cfsetting showdebugoutput="yes" enablecfoutputonly="No">--->
          </cffunction>
          <cffunction name="OnRequestStart">

          <!--- Generally bad practice to display anything in the Application file--->
          <!--- <cfdump var="#this#">--->
          </cffunction>

           

          <cffunction name="onSessionStart">

          <cfset session.timestamp = now()>

          </cffunction>

           

          <cffunction name="onSessionEnd">

          <cfargument name = "sessionscope" required="yes">

          <cfargument name = "appscope" required="yes">

           

          <cflog file="#this.name#" type="information" text="The session #arguments.sessionscope.sessionid# started at #arguments.sessionscope.timestamp# and ended at #now()#">

          </cffunction>

          </cfcomponent>

           

          Index.cfm page

           

          <!--- The setting This.Sessionmanagement=true means the session will always be defined. There is therefore no need to test for its existence--->

          <cfdump var="#Session#">
          <cfdump var="#Application#">

          • 2. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
            tmike12345 Level 1

            Thanks for the quick response. I'm not sure what you mean though. I know that the session cookies themselves won't time out unless I force it to. But why wouldn't a regular session variable for a particular user not time out?

             

            Another words, I open up IE on that page and I expect the session on the page to time out after 1 minute, including timing out the TimeStamp session variable that I created. On all the other servers I tried that, it times out properly. On this one particular server it does not.

             

            Thanks

            • 3. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
              BKBK Adobe Community Professional & MVP

              tmike12345 wrote:

               

              Thanks for the quick response. I'm not sure what you mean though. I know that the session cookies themselves won't time out unless I force it to.

              They in fact would! I didn't say otherwise. The key point is that ColdFusion deletes the session cookies from memory when the session times out.

               

              If the user - typically, a browser - fails to interact with the ColdFusion server for the duration of the session timeout, ColdFusion will time the session out. One consequence is that ColdFusion will clear the last values of session-CFID and session.CFToken from memory, and create new values of those variables for the user. That is, ColdFusion will end, and delete, the timed-out session, and start a new session for the user.

               

              But why wouldn't a regular session variable for a particular user not time out?

              Because the variable session.customUserVar is defined for the current session, and so never times out.

               

              Another words, I open up IE on that page and I expect the session on the page to time out after 1 minute, including timing out the TimeStamp session variable that I created. On all the other servers I tried that, it times out properly. On this one particular server it does not.

              As I have explained, what times out is the session, not the variable session.timestamp. After all, when we say your session has timed out, what we mean is that ColdFusion has expired the identifiers session.CFID, session.CFToken and session.sessionID that distinguished your session, and has deleted them from memory.

               

              When you return and open index.cfm, ColdFusion creates a new session for you, with new CFID, CFToken and sessionID values. ColdFusion then writes the variable session.timestamp anew, within the context of the new session.

              • 4. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
                tmike12345 Level 1

                Thanks for the response again.

                 

                To make sure I understand you correctly, because as I mentioned this only happens on one server, not any other ones that we have.

                 

                The TimeStamp variable in the statement here should be reset to a new value every time the session times out. In the server where we are having the issue, the timestamp variable is never changing. As you mention, any session variables that exist for a particular browser should timeout after the timeout period.

                 

                As you can see in the image below, the TimeStamp variable still shows yesterday's date, which means the session never timed out, even though the session timeout setting is 60 seconds.

                 

                • 5. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
                  Steve Sommers Level 4

                  I don't know if this is a contributing factor or not but there is a "Use J2EE session variables" in the CF admin options. While I definately prefer using this option, I have experienced some similar strange behaviour and I "think" CF might be allowing java to control the session scope and I'm not sure this.sessiontimeout applies to java sessions. But I could be simply making all this up to match some of the behaviour I have seen.

                  • 6. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
                    tmike12345 Level 1

                    Thanks Steve - I don't have those enabled on the server, but I was thinking about enabling them to see if the issue would go away.

                    • 7. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
                      vishu#13 Level 3

                      "Use J2EE session variables" should be unechecked

                      <cfset This.Sessionmanagement=true>  this (true) should be in quotes <cfset This.Sessionmanagement="true">

                      Application.cfm

                       

                      <cfcomponent>

                      <cfset this.name = "myApplication">

                      <cfset this.Sessionmanagement = "TRUE">

                      <cfset this.sessiontimeout = CreateTimeSpan(0,0,0,10) />

                       

                      </cfcomponent>

                       

                      sessiontest.cfm

                       

                      <cfif IsDefined("SESSION.MyCount")>

                        <cfset SESSION.MyCount = #SESSION.MyCount# + 1>

                        Current Count is: <cfoutput>#SESSION.MyCount#</cfoutput><BR>

                        The current time is <cfoutput>#Now()#

                        <br />

                        Server: #CGI.SERVER_NAME#

                        </cfoutput>

                        <BR>

                      <cfelse>

                        <cfset SESSION.MyCount = 1>

                        <cfoutput>Count: #SESSION.MyCount#

                        <br />

                        Server: #CGI.SERVER_NAME#

                        </cfoutput>

                      </cfif>

                      <A HREF="sessiontest.cfm">Test Session</A>

                       

                      When you run the above in browser then hit session test after 10/11 seconds and you will be redirected to the same page.

                       

                      Capture.JPG

                       

                      As you mentioned that this is happening in one of your servers then I would suggest you to check the settings of this particular sever as comapred to other servers.

                      HTH

                       

                      Thanks

                      VJ

                      • 8. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
                        BKBK Adobe Community Professional & MVP

                        tmike12345 wrote:

                         

                        Thanks for the response again.

                         

                        To make sure I understand you correctly, because as I mentioned this only happens on one server, not any other ones that we have.

                         

                        The TimeStamp variable in the statement here should be reset to a new value every time the session times out.

                        No, not necessarily. The current session may time out, whereas session.timestamp may still exist! The variable is reset to a new value only after ColdFusion creates a new session. This occurs when you revisit index.cfm. 

                         

                        As you can see in the image below, the TimeStamp variable still shows yesterday's date, which means the session never timed out, even though the session timeout setting is 60 seconds.

                        There might indeed be something wrong with the server. However, the relevant test to do is to verify whether or not the values of session.CFID and session.CFToken change when you open the index.cfm page after a period of inactivity longer than the timeout. If these system identifiers change, but session.timestamp remains the same, then your server probably has a bug.

                        • 9. Re: has anyone had an issue were ColdFusion session variables never timeout on a server?
                          BKBK Adobe Community Professional & MVP

                          tmike12345 wrote:

                           

                          As you can see in the image below, the TimeStamp variable still shows yesterday's date, ...

                          Just had another idea. Whatever the reason, it just might be that what you were seeing was a cached page.

                           

                          To verify, perform the popular trick for forcing a browser to give you an uncached page: request index.cfm?xyz=3 in place of index.cfm.