Skip to main content
G
gmelanson
Participating Frequently
July 24, 2025
Question

Coldfusion 2021 session lost in 1st app after SAML authentication in 2nd app (not everytime)

  • July 24, 2025
  • 1 reply
  • 545 views

Hi All,

I can't seem to figure this out, so any help would be appreciated.  Might be a bug with CF2021.

 

I got 2 websites with cfapplication name AAA  & BBB  both under same domain, https, using www

 

If I login through one app using SAML (one per app), I loose the sessions in the other app (new cftoken generated), and it doesn't happen everytime but it will happen after a few tests, or the 1st time after being idle for a few minutes.

.....mydomain.com/AAA/saml1/response.cfm

.....mydomain.com/BBB/saml2/response.cfm

 

Also, if i'm just playing around and setting a session variable in the same child folders as the saml response, it won't loose the sessions of the other app.  It seems the saml round trip to microsoft azure causes the lost of sessions. 

 

I tried with J2EE sessions on/off

 

Any ideas how to remedy?  

 

 

 

 

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    July 24, 2025

    To start with, I would strongly advise you to switch from Application.cfm to Application.cfc.

    Anyway, in which directories are the respective Application.cfm files? 

    G
    gmelansonAuthor
    Participating Frequently
    July 24, 2025

    Thanks for the reply BKBK !

     

    I just noticed that: 

    *** The session lost happens even with the same website when calling its own saml login process.  ***   if you give it a minute or two in between saml calls.

     

    It's like leaving my domain causes a new cftoken to be created on arrival from the saml cycle if you wait a minute between tests and is a bit random.

     

    The Application files are both in the same directory as the cf saml call & response

    .....mydomain.com/AAA/saml1/application.cfm

    .....mydomain.com/BBB/saml2/application.cfm

     

     

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    July 25, 2025

    First off, I would advise you to host just one application per domain, not two. Especially when you have to use SAML. When there is more than one application per domain, you have to manually construct the session for each application. That can involve a lot of coding.

     

    Let's now move on to the issue. What you've described so far does not seem like a bug in ColdFusion or SAML. The issue is likely due to ColdFusion session cookie collisions between your two applications (AAA and BBB).

     

    Cookies are domain-wide. That is, they are scoped to your mydomain.com. But since the two applications share the same domain, they potentially also share the same cookie name (CFID, CFTOKEN, and possibly JSESSIONID when you use J2EE sessions).

     

    Therefore a possible solution is to set distinct session cookies manually for each individual application. That is, instead of letting ColdFusion set the cookies automatically, which is its default behaviour. There are two separate scenarios, depending on whether you are using  ColdFusion sessions or J2EE sessions.

     

     Let's first try to solve the issue for ColdFusion sessions. If it succeeds, we will then look at J2EE sessions.

     The key is to set setClientCookies="false" in each application file. It tells ColdFusion not to set CFID/CFTOKEN. You are going to do it manually yourself.

    <cfapplication 
    name="AAA"
    sessionManagement="true"
    setClientCookies="false"
    applicationTimeout="#createTimeSpan(1,0,0,0)#"
    sessionTimeout="#createTimeSpan(0,0,20,0)#">
    <cfapplication 
    name="BBB"
    sessionManagement="true"
    setClientCookies="false"
    applicationTimeout="#createTimeSpan(1,0,0,0)#"
    sessionTimeout="#createTimeSpan(0,0,20,0)#">

    Then in your login logic, for example, directly after successful SAML login (or early in the request), explicitly set cookies with custom names:

    // After successful SAML login
cookie.AAA_CFID    = session.CFID;
cookie.AAA_CFTOKEN = session.CFTOKEN;
// Optional: set expiration to 1 day
cookie.AAA_CFID.expires = 1;
cookie.AAA_CFTOKEN.expires = 1;
    // After successful SAML login
cookie.BBB_CFID    = session.CFID;
cookie.BBB_CFTOKEN = session.CFTOKEN;
// Optional: set expiration to 1 day
cookie.BBB_CFID.expires = 1;
cookie.BBB_CFTOKEN.expires = 1;


    Next, on every request, you have to manually restore the session scope before you can use a variable such as session.myVar. You do this by injecting CFID/CFTOKEN into the request scope to enable ColdFusion to find the correct session in memory. You can do so as follows:

    /* Pseudo-code for AAA app (ensure that this occurs early in the request , for example, in Application.cfm or in OnRequestStart of Application.cfc)*/
if (structKeyExists(cookie, "AAA_CFID") and structKeyExists(cookie, "AAA_CFTOKEN")) {
    // Restore standard ColdFusion session keys
    url.CFID    = cookie.AAA_CFID;
    url.CFTOKEN = cookie.AAA_CFTOKEN;
}
    /* Pseudo-code for BBB app (ensure that this occurs early in the request , for example, in Application.cfm or in OnRequestStart of Application.cfc)*/
if (structKeyExists(cookie, "BBB_CFID") and structKeyExists(cookie, "BBB_CFTOKEN")) {
    // Restore standard ColdFusion session keys
    url.CFID    = cookie.BBB_CFID;
    url.CFTOKEN = cookie.BBB_CFTOKEN;
}

    Url.CFID and url.CFTOKEN override ColdFusion’s session resolver. Now ColdFusion thinks the incoming request uses those session values.

     

     

     

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices