15 Replies Latest reply on Dec 21, 2015 1:13 PM by dzhaos

    new cfid with every refresh

    dzhaos

      I updated a test server from ColdFusion 10 to ColdFusion 11 30 days Enterprise trail edition with update 7.

      However, every time I hit refresh in my browsers, I get a new cfid. As a result, a valid session is not found so the login page doesn't work.

      I checked the session in coldfusion admin page and my cookie in my browsers, they are both created correctly.

      This is what I have in my application.cfm

      <CFAPPLICATION NAME="TESTWEB"

        CLIENTMANAGEMENT="Yes"

        SETCLIENTCOOKIES="Yes"

        SESSIONMANAGEMENT="Yes"

        SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"

        SETDOMAINCOOKIES = "No">

       

      However, when I open the page from the host computer, then the cfid doesn't get change everytime I hit refresh, so everything works.

      During login, I had code that set cfid/cftoken to cookie, but since I changed to SETCLIENTCOOKIES="Yes", I removed those code. The only other place would be in logout.

      I am not using jsessionids, only coldFusion session id.

      Timeout for all session variables is 7 days.

      Any idea what can cause my problem?

        • 1. Re: new cfid with every refresh
          BKBK Adobe Community Professional & MVP

          dzhaos wrote:

           

          This is what I have in my application.cfm

          <CFAPPLICATION NAME="TESTWEB"

            CLIENTMANAGEMENT="Yes"

            SETCLIENTCOOKIES="Yes"

            SESSIONMANAGEMENT="Yes"

            SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"

            SETDOMAINCOOKIES = "No">

           

          Timeout for all session variables is 7 days.

          It is uncllear what the problem is. First you say sessions don't work, then you say they do.

           

          In any case, you should switch to Application.cfc, using a more realistic value of sessiontimeout.

           

          Application.cfc

           

          <cfcomponent>

              <cfscript>

                  this.name = "TESTWEB";

                  this.applicationTimeout = "#createTimespan(1,0,0,0)#";

                  this.clientManagement = "yes";

                  this.clientStorage = "cookie";

                  this.sessionManagement = "yes";

                  this.sessionTimeout = "#createTimeSpan(0,0,20,0)#";

                  this.setClientCookies = "yes";

                  this.setDomainCookies = "no";

               </cfscript>

          </cfcomponent>

          • 2. Re: new cfid with every refresh
            dzhaos Level 1

            The session actually works when I am inside the computer that host the server, and I use the browser in there to connect to my website, then everything work.

            However, if I am on another computer, and then go to my website, the session doesn't load. In both cases, I check my browser does contain the cfid cookie.

            Does this make sense?

             

            Thanks for taking your time to look at my problem.

            • 3. Re: new cfid with every refresh
              BKBK Adobe Community Professional & MVP

              Thanks for the explanation. It is surprising that ColdFusion only writes the cfid cookie. What if you add this to your application file:

               

              <cfif not structKeyExists(cookie,"cfid") or not structKeyExists(cookie,"cftoken")>

                  <cfcookie name="cfid" value="#session.cfid#">

                  <cfcookie name="cftoken" value="#session.cftoken#">

              </cfif>

              • 4. Re: new cfid with every refresh
                dzhaos Level 1

                Sorry, I am not clear in my explanation. What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid, hide_inactive, hide_inactive_project, hide_unimportant, search_block_size for my ColdFusion site cookies.

                 

                I have changed application.cfm to application.cfc, but I still have the same problem.

                • 5. Re: new cfid with every refresh
                  BKBK Adobe Community Professional & MVP

                  Test with different browsers on the remote machine.

                  Delete the existing cookies and browser cache.

                  • 6. Re: new cfid with every refresh
                    dzhaos Level 1

                    Here is my test result:

                    Local machine:

                    chrome: cfid doesn't change with refresh - work

                    IE: : cfid doesn't change with refresh - work

                     

                    Machine A (I have been testing on this machine, I cleaned the cache and cookie)

                    chrome: cfid change with refresh - doesn't work

                    firefox: cfid change with refresh - doesn't work

                    IE: cfid doesn't change with refresh - work


                    Machine B

                    chrome: cfid change with refresh - doesn't work

                    firefox: cfid doesn't change with refresh - work

                    IE: cfid doesn't change with refresh - work


                    Machine B

                    chrome: cfid doesn't change with refresh - work

                    firefox: cfid doesn't change with refresh - work

                    IE: cfid doesn't change with refresh - work


                    This is pretty weird. Have you seen this happen before? Any suggestion?

                    • 7. Re: new cfid with every refresh
                      BKBK Adobe Community Professional & MVP

                      I also find it weird. I have seen something similar before, but it occurred on the remote, as well as on the local, machine. I think it was caused by session fixation.

                       

                      Why do you have Machine B twice?

                      • 8. Re: new cfid with every refresh
                        dzhaos Level 1

                        my mistake, last one is machine c

                        • 9. Re: new cfid with every refresh
                          BKBK Adobe Community Professional & MVP

                          OK.

                          You said:

                          I am not using jsessionids, only coldFusion session id.

                           

                          But later you added:

                          What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid,

                          Did you disable JEE sessions in the administrator?

                          • 10. Re: new cfid with every refresh
                            dzhaos Level 1

                            In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and  HTTPOnly is checked.


                            Do you think these setting are correct? This is where JEE session is set right?

                            • 11. Re: new cfid with every refresh
                              dzhaos Level 1

                              wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?

                              • 12. Re: new cfid with every refresh
                                BKBK Adobe Community Professional & MVP

                                dzhaos wrote:

                                 

                                In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and  HTTPOnly is checked.


                                Do you think these setting are correct? This is where JEE session is set right?

                                Apllication timeout of 7 days ia all right.

                                I would set the sessiontimeout to 30 minutes.

                                Sessions could also be set in the XML configuration files. (I would advise anyone not to go there)

                                • 13. Re: new cfid with every refresh
                                  BKBK Adobe Community Professional & MVP

                                  dzhaos wrote:

                                   

                                  wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?

                                  I really can't say, to be honest. I am glad to hear that you can now work with sessions. Quite handy.

                                   

                                  Using J2EE sessions is preferable to using CFID and CFToken. When you say your problem is solved, I hope you have been checking for a change in the jsessionid cookie. Coldfusion stops generating CFID and CFToken cookies when you enable J2EE sessions.

                                  • 14. Re: new cfid with every refresh
                                    Carl Von Stetten Adobe Community Professional & MVP

                                    As BKBK said, now that you are using J2EE session variables, the only cookie value that should be created is jsessionid.  It looks like ColdFusion will still create a SESSION.urltoken variable that includes CFID, CFTOKEN, and jsessionid as embedded parameters.  But I don't think the CFID or CFTOKEN are used anywhere else.  If you still see them within the COOKIE scope, flush your browser cache and delete the cookie(s) for your site.  On the next request, you should only see the jsessionid in COOKIE.

                                     

                                    -Carl V.

                                    • 15. Re: new cfid with every refresh
                                      dzhaos Level 1

                                      BKBK, thank you for all your help.

                                      Yes, CFID and CFToken cookies are not longer in my browser. I have also replaced code that check for CFID in login and logout.