CF 10 Clean Install - Sessions Broken

Question

Hi all,My firm recently upgraded to all new CF 10 servers (clean install no upgrade), and we are going through testing before we launch them in production.I have come across an issue where the sessions are not being maintained across requests.The application login functionality no longer works at all... testing the same code on CF9 yields expected and desired results.----------------------------------To test, I created a folder with an Application.cfc and an index.cfm.I placed a copy of the folder on the root of both the CF9 and CF10 servers.Loaded the index.cfm page on each and then just hit the refresh button on the browser.All the index.cfm page does is dump the session & cookie scopes.RESULTSCF9:- SESSIONID stays the same upon each requestion- CFID stays the same- CFTOKEN stays the same...as expected resultsInitial Page Load:structsessionid8430fefbf6988bab4bbc3724627d6a323351urltokenCFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351usernameBillstructCFID64848CFTOKEN25813868JSESSIONID8430fefbf6988bab4bbc3724627d6a323351Refresh 2:structsessionid8430fefbf6988bab4bbc3724627d6a323351urltokenCFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351usernameBillstructCFID64848CFTOKEN25813868JSESSIONID8430fefbf6988bab4bbc3724627d6a323351Refresh 3:structsessionid8430fefbf6988bab4bbc3724627d6a323351urltokenCFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351usernameBillstructCFID64848CFTOKEN25813868JSESSIONID8430fefbf6988bab4bbc3724627d6a323351CF10:- SESSIONID changes on everye SECOND request- CFID changes every request- CFTOKEN changes every request...not as expected whatsoeverInitial Page Load:structsessionidBBEB2834CFE5CABC214714BC9984C35B.cfusionurltokenCFID=2199631&CFTOKEN=87302470&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusionstructCFID2199631CFTOKEN87302470JSESSIONIDA8374BAF078DCD9216870113F0A7E32B.cfusionRefresh 1:structsessionidBBEB2834CFE5CABC214714BC9984C35B.cfusionurltokenCFID=2199791&CFTOKEN=22231763&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusionstructCFID2199791CFTOKEN22231763JSESSIONIDBBEB2834CFE5CABC214714BC9984C35B.cfusionRefresh 2: structsessionid1C3645A75E85F7AEDAEBA9F90474DF83.cfusionurltokenCFID=2199867&CFTOKEN=96194295&jsessionid=1C3645A75E85F7AEDAEBA9F90474DF83.cfusionstructCFID2199867CFTOKEN96194295JSESSIONIDBBEB2834CFE5CABC214714BC9984C35B.cfusionWTH???Here is a copy of my Application.cfc:/**          @7548420 "Application.cfc reference in CFScript for Coldfusion 9"    @description "This component includes all Application.cfc methods and variables, set to their default values (if applicable). Please note that default values are not always desirable, and some methods or variables should be modified or removed depending on the situation."          @7111211 "Russ Spivey (http://cfruss.blogspot.com)"    @dateCreated "November 29, 2009"    @7402935 "This work is licensed under the Creative Commons Attribution 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA."          @17146373 "You implement methods in Application.cfc to handle ColdFusion application events and set variables in the CFC to configure application characteristics."*/component output="false" {          /* **************************** APPLICATION VARIABLES **************************** */          // The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context.          THIS.name = "Test";          // Life span, as a real number of days, of the application, including all Application scope variables.          THIS.applicationTimeout = createTimeSpan(0, 1, 0, 0);          // Whether the application supports Client scope variables.          THIS.clientManagement = false;          // Where Client variables are stored; can be cookie, registry, or the name of a data source.          //THIS.clientStorage = "registry"; //cookie||registry||datasource          // Contains ColdFusion custom tag paths.           THIS.customTagPaths = "";          // The Google Maps API key required to embed Google Maps in your web pages.          THIS.googleMapKey = "";    // Name of the data source from which the query retrieves data.     THIS.datasource = "";          // Whether to store login information in the Cookie scope or the Session scope.          THIS.loginStorage = "cookie"; //cookie||session          // A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value.           THIS.mappings = {};    // Whether to enable validation on cfform fields when the form is submitted.    THIS.serverSideFormValidation = true;          // Whether the application supports Session scope variables.          THIS.sessionManagement = true;          // Life span, as a real number of days, of the user session, including all Session variables.          THIS.sessionTimeout = createTimeSpan(0, 0, 20, 0);          // Whether to send CFID and CFTOKEN cookies to the client browser.          THIS.setClientCookies = true;          // Whether to set CFID and CFTOKEN cookies for a domain (not just a host).          THIS.setDomainCookies = false;          // Whether to protect variables from cross-site scripting attacks.          THIS.scriptProtect = false;          // A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.           THIS.secureJSON = false;          // The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.           THIS.secureJSONPrefix = "";          // A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found.          THIS.welcomeFileList = "";          // A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator.          THIS.smtpServersettings = {};    // Request timeout. Overrides the default administrator settings.    THIS.timeout = 30; // seconds    // A list of ip addresses that need debugging.    THIS.debugipaddress = "";    // Overrides the default administrator settings. It does not report compile-time exceptions.    THIS.enablerobustexception = false;    /* ORM variables */    // Specifies whether ORM should be used for the ColdFusion application.Set the value to true to use ORM. The default is false.    THIS.ormenabled = false;    // The struct that defines all the ORM settings. Documentation: http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSED380324-6CBE-47cb-9E5E-26B66ACA9E81.html    THIS.ormsettings = {};    // note: THIS.datasource applies to cfquery as well as ORM. It is defined on line 31.          /* **************************** APPLICATION METHODS **************************** */    /**        @17146373 "Runs when an application times out or the server is shutting down."        @ApplicationScope "The application scope."    */          public void function onApplicationEnd(struct ApplicationScope=structNew()) {                    return;          }    /**              @17146373 "Runs when ColdFusion receives the first request for a page in the application."    */          public boolean function onApplicationStart() {                    return true;          }    /**        @17146373 "Intercepts any HTTP or AMF calls to an application based on CFC request."        @cfcname "Fully qualified dotted path to the CFC."        @3289847 "The name of the method invoked."        @11716706 "The arguments (struct) with which the method is invoked."    */    public void function onCFCRequest(required string cfcname, required string method, required string args) {                    return;          }     /**        @17146373 "Runs when an uncaught exception occurs in the application."        @17458588 "The ColdFusion Exception object. For information on the structure of this object, see the description of the cfcatch variable in the cfcatch description."        @EventName "The name of the event handler that generated the exception. If the error occurs during request processing and you do not implement an onRequest method, EventName is the empty string."        note: This method is commented out because it should only be used in special cases    */     /*          public void function onError(required any Exception, required string EventName) {        return;          }    */    /**        @17146373 "Runs when a request specifies a non-existent CFML page."        @TargetPage "The path from the web root to the requested CFML page."        note: This method is commented out because it should only be used in special cases    */     /*          public boolean function onMissingTemplate(required string TargetPage) {                    return true;          }    */    /**        @17146373 "Runs when a request starts, after the onRequestStart event handler. If you implement this method, it must explicitly call the requested page to process it."        @TargetPage "Path from the web root to the requested page."        note: This method is commented out because it should only be used in special cases    */           /*           public void function onRequest(required string TargetPage) {                     return;          }          */    /**        @17146373 "Runs at the end of a request, after all other CFML code."    */           public void function onRequestEnd() {                    return;          }    /**        @17146373 "Runs when a request starts."        @TargetPage "Path from the web root to the requested page."    */           public boolean function onRequestStart(required string TargetPage) {                    return true;          }    /**        @17146373 "Runs when a session ends."        @SessionScope "The Session scope"        @ApplicationScope "The Application scope"    */           public void function onSessionEnd(required struct SessionScope, struct ApplicationScope=structNew()) {                    return;          }    /**        @17146373 "Runs when a session starts."    */           public void function onSessionStart() {                    return;          }}So did Adobe really ship a broken product??Here are a list of other people with the same issues:http://forums.adobe.com/message/5692829http://forums.adobe.com/thread/1017340http://forums.adobe.com/thread/1022637http://forums.adobe.com/thread/1272465http://forums.adobe.com/message/5696193https://bugbase.adobe.com/index.cfm?event=bug&id=3572565http://www.petefreitag.com/item/817.cfmhttp://forums.adobe.com/thread/1199835I have spent several days at this... if I missed some obvious conifiguration I would be upset with myself, but releived it was fixable. As of right now, I can't move my code to this new production environment as logging into the application is not even possible.Thanks

BKBK · Accepted Answer

John.Elkins wrote:We are not using cflogin... However, some other login process is apparently involved in the page request. That can start up a new session, if not coded properly. In fact my guess is that that is what is happening. In any case, this is about whether or not session is maintained. To test this cleanly, you have to exclude all code involved with the login process.

John_Elkins · Answer

The only difference between the two applications are the following:

- Sessions working application: website loads on normal "http" page and then login is done through "https" & not using a framework

- Sessions not working application: IIS redirect to "https" login occurs while already on "https" & using MG 3

The original test was done by dropping a directory in root called "test"... removing the original application code and replacing the root directory with just the test Application.cfc and index.cfm, and refreshing, produces expected behavior.

Q1: Shouldn't the Application.cfc in the "test" subdirectory override anything in the parent directory?

Q2: Does MG have any known incompatibilities with CF10... a cursory search seems to indicate it doesn't.

Thanks again for the help!

struct
sessionid	8430fefbf6988bab4bbc3724627d6a323351
urltoken	CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351
username	Bill

struct
CFID	64848
CFTOKEN	25813868
JSESSIONID	8430fefbf6988bab4bbc3724627d6a323351

struct
sessionid	BBEB2834CFE5CABC214714BC9984C35B.cfusion
urltoken	CFID=2199631&CFTOKEN=87302470&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusion

struct
CFID	2199631
CFTOKEN	87302470
JSESSIONID	A8374BAF078DCD9216870113F0A7E32B.cfusion

struct
CFID	2199791
CFTOKEN	22231763
JSESSIONID	BBEB2834CFE5CABC214714BC9984C35B.cfusion

struct
sessionid	1C3645A75E85F7AEDAEBA9F90474DF83.cfusion
urltoken	CFID=2199867&CFTOKEN=96194295&jsessionid=1C3645A75E85F7AEDAEBA9F90474DF83.cfusion

struct
CFID	2199867
CFTOKEN	96194295
JSESSIONID	BBEB2834CFE5CABC214714BC9984C35B.cfusion

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded