Skip to main content
T
tmike12345
Participant
March 24, 2014
Question

has anyone had an issue were ColdFusion session variables never timeout on a server?

  • March 24, 2014
  • 1 reply
  • 1589 views

I am having an issue on one of our production ColdFusion 9 servers where the session variables are never timing out.

I set up a very simple page to make sure I'm not missing something.

Application.CFC page (I tried Application.cfm as well)

<cfcomponent>

<cfset This.name = "TestApplication">
<cfset This.Sessionmanagement=true>
<cfset This.Sessiontimeout="#createtimespan(0,0,1,0)#">
<cfset This.applicationtimeout="#createtimespan(5,0,0,0)#">

<cffunction name="OnApplicationStart">
<cfsetting showdebugoutput="yes" enablecfoutputonly="No">
</cffunction>
<cffunction name="OnRequestStart">
<cfdump var="#this#">
</cffunction>
</cfcomponent>

Index.cfm page

<cfif isDefined("Session.TimeStamp")>
<cfdump var="#Session#">
<cfdump var="#Application#">

<cfoutput>#Session.TimeStamp#</cfoutput>
<cfelse>
<cfset Session.TimeStamp=Now()>

</cfif>

The TimeStamp session variable never times out and once it is set the first time. I can leave the page up for days and it still won't time-out. My maximum session timeout on the server is set to 2 days. The only way to get rid of the session variables is to clear the cookies on the browser.

Has anyone seen this type of issue before?

    This topic has been closed for replies.

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    March 24, 2014

    tmike12345 wrote:

    The TimeStamp session variable never times out and once it is set the first time. I can leave the page up for days and it still won't time-out. My maximum session timeout on the server is set to 2 days. The only way to get rid of the session variables is to clear the cookies on the browser.

    You should not expect a custom session variable to timeout. That wont happen because it is contrary to the design of sessions.

    What times out is the session itself, rather than a variable in it. However, the setting This.Sessionmanagement=true implies that ColdFusion will always provide a session whenever a user opens a page. So, session 1 may time out, but new session 2 may start. It, too, may later time out if left idle for a while, giving way to new session 3. Whereas, the variable session.timestamp may continue to be defined in session 3, as it once was in session 1 and in session 2.

    The most obvious way to verify whether a session has timed out is to check for a change in the system variables session.CFID and session.CFToken. Such a change means the beginning of a new session. That is, of course, one consequence of the end of a session.

    You will be glad to know that Application.cfc itself automatically knows when a session has ended. Its onSessionEnd event will fire when a session ends. I have included it in the following suggestions:

    <cfcomponent>

    <cfset This.name = "TestApplication">
    <cfset This.Sessionmanagement=true>

    <!--- Session timeout usually set at 20 to 30 minutes (comes from studies on users on the web) --->
    <cfset This.Sessiontimeout="#createtimespan(0,0,20,0)#">
    <cfset This.applicationtimeout="#createtimespan(5,0,0,0)#">

    <cffunction name="OnApplicationStart">
    <!--- A page setting: does not belong here--->

    <!---<cfsetting showdebugoutput="yes" enablecfoutputonly="No">--->
    </cffunction>
    <cffunction name="OnRequestStart">

    <!--- Generally bad practice to display anything in the Application file--->
    <!--- <cfdump var="#this#">--->
    </cffunction>

    <cffunction name="onSessionStart">

    <cfset session.timestamp = now()>

    </cffunction>

    <cffunction name="onSessionEnd">

    <cfargument name = "sessionscope" required="yes">

    <cfargument name = "appscope" required="yes">

    <cflog file="#this.name#" type="information" text="The session #arguments.sessionscope.sessionid# started at #arguments.sessionscope.timestamp# and ended at #now()#">

    </cffunction>

    </cfcomponent>

    Index.cfm page

    <!--- The setting This.Sessionmanagement=true means the session will always be defined. There is therefore no need to test for its existence--->

    <cfdump var="#Session#">
    <cfdump var="#Application#">

    T
    tmike12345Author
    Participant
    March 24, 2014

    Thanks for the quick response. I'm not sure what you mean though. I know that the session cookies themselves won't time out unless I force it to. But why wouldn't a regular session variable for a particular user not time out?

    Another words, I open up IE on that page and I expect the session on the page to time out after 1 minute, including timing out the TimeStamp session variable that I created. On all the other servers I tried that, it times out properly. On this one particular server it does not.

    Thanks

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    March 24, 2014

    tmike12345 wrote:

    Thanks for the quick response. I'm not sure what you mean though. I know that the session cookies themselves won't time out unless I force it to.

    They in fact would! I didn't say otherwise. The key point is that ColdFusion deletes the session cookies from memory when the session times out.

    If the user - typically, a browser - fails to interact with the ColdFusion server for the duration of the session timeout, ColdFusion will time the session out. One consequence is that ColdFusion will clear the last values of session-CFID and session.CFToken from memory, and create new values of those variables for the user. That is, ColdFusion will end, and delete, the timed-out session, and start a new session for the user.

    But why wouldn't a regular session variable for a particular user not time out?

    Because the variable session.customUserVar is defined for the current session, and so never times out.

    Another words, I open up IE on that page and I expect the session on the page to time out after 1 minute, including timing out the TimeStamp session variable that I created. On all the other servers I tried that, it times out properly. On this one particular server it does not.

    As I have explained, what times out is the session, not the variable session.timestamp. After all, when we say your session has timed out, what we mean is that ColdFusion has expired the identifiers session.CFID, session.CFToken and session.sessionID that distinguished your session, and has deleted them from memory.

    When you return and open index.cfm, ColdFusion creates a new session for you, with new CFID, CFToken and sessionID values. ColdFusion then writes the variable session.timestamp anew, within the context of the new session.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices