Missing session variables and multiple CFID/CFTOKEN

Forum|Forum|13 years ago
October 22, 2012
3 replies
1830 views

We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.

Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions. We have put troubleshooting measures in place that display values when this occurs.

We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next). These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers. In most instances, if the user switches browsers, the same application works fine for them.

In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”. If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.

When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag. ** We do not prefer to do this for security reasons.

Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?

This topic has been closed for replies.

BKBK

Community Expert

My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.

Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.

Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.

Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.

The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.

1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.

2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.

3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions.

M

marchmatnessAuthor

Participant

Some additional information:

- If the user is in IE and selects "InPrivate Browsing", everything works fine.

- Deleting the user's profile and creating a new profile, everything works fine.

S

Steve Sommers

Legend

I've experienced similar behavior, always with IE and always when multipe browser tabs are open. Closing IE and restarting it works, provided my site is the first tab. I'm not certain if this is an IE bug or CF bug as it's been very difficult to debug and it's inconsistent -- sometimes it works fine with tabs open. If this is the same issue and someone knows of a solution, I would be very thankful.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded