Skip to main content
A
agebhard
Participant
July 18, 2011
Question

Session is invalid errors

  • July 18, 2011
  • 8 replies
  • 6863 views

Ever since we applied the June 14 2011 ColdFusion hotfix (hf901-00001), we've been seeing intermittent errors in the production environment saying: "Session is invalid." We are hosting multiple CF applications within our domain, and I can reproduce the error in our test environment by setting low session timeout values (e.g. 1 minute and 2 minutes) and requesting a page after the minute has gone by.

We're running ColdFusion 9 in a Red Hat/Apache environment.

Has anyone else noticed different behavior after applying this update?

    This topic has been closed for replies.

    8 replies

    A
    Anonymous
    September 25, 2011

    Glad that it solves the problem for you.

    A
    Anonymous
    September 23, 2011

    We have released the official fix for the issue. Please see http://blogs.adobe.com/coldfusion/2011/09/16/updated-bug-83514-session-is-invalid-issue/ for more information.

    Thanks,

    Shilpi Khariwal

    Coldfusion Server Team

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    September 25, 2011

    Hemant and Shilpi,

    Yours is the kind of response that forsters dedication to ColdFusion. Great.

    H
    hemant_k1
    Participating Frequently
    July 26, 2011

    We are currently investigating this issue. Feel free to add your comments via votes to the bug.

    Hemant

    CF Team

    twitter - khandelwalh

    A
    agebhardAuthor
    Participant
    July 26, 2011

    Where is the bug documented? I don't see it listed in the CF bug tracker.

    H
    hemant_k1
    Participating Frequently
    July 26, 2011

    Here is the bug -

    http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html#b ugId=83514

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    July 23, 2011

    This latest hot fix (updated as recently as July 20, 2011) might help: http://kb2.adobe.com/cps/907/cpsid_90784.html

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    July 23, 2011

    It could be that the application times out before the session. What is the value of applicationTimeout?

    A
    agebhardAuthor
    Participant
    July 25, 2011

    It shouldn't have anything to do with application timeouts in our scenario. In both our test and our production environments, the application timeout value has always been equal or greater than the session timeout value.

    A
    andyoxus
    Participant
    July 20, 2011

    We're seeing the same error on Linux/CF 9.0.1 with June 14 2011 hotfix hf901-00002 (not 00001 - that was Feb 8 2011), but it looks like it's being triggered only when a user requests a template that has been 'recently' updated (we push source updates quite frequently). Seems like the recompilation is interfering with the J2EE sessions.

    We don't have any solution to this, other than to catch the exception and blow away the client's cookies to give them a new session.

    T
    thilo27
    Participant
    July 22, 2011

    We had experienced the same problem since applying the June security hotfix on CF 9.0.1/Linux/J2EE Sessions.

    A possible workaround might be found here: http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html#bugId=83514

    (even though this is a CF on Windows bug)

    Comment By Mike Collins on Fri May 27 2011 You might try adding the following to the jrun.xml This might let jrun continue on and rebuild a new session. name="reuseInvalidatedIds">true will tell jrun to reuse the invalidated session. However still need to fix this bug, since workaround opens up some doors for session suggestability.

    XML code is available at http://www.elliottsprehn.com/cfbugs/bugs/83514#comments

    (BTW: ist there a way to post XML code in this forum?)

    Altering jrun.xml made the Session is Invalid errors go away on our servers. I am not 100% sure if this is a security issue though. David Stockton's comment under "Votes" is also interesting:

    David Stockton from FusionReactor / CFConsultant.com here. We have diagnosed and resolved this issue and can provide support under our paid consulting services to resolve this on your systems. However, it would be great for the community if Adobe can release a patch to fix this directly.

    CF Team, please fix...

    A
    agebhardAuthor
    Participant
    July 19, 2011

    Thanks for the response. It sounds like we're looking at the same error, alright.

    I had seen those two articles you mentioned, but the thing that I found curious was that our problems started after we applied the patch that came out in June and not the one that others were talking about from February (which we applied several months ago).

    Our particular issue seems not to be relieved by manipulating the J2EE session timeout. We've experimented quite a bit with changing timeout settings in our test environment. I was able to reliably reproduce the error by reducing the session timeout values to numbers way lower than our J2EE timeout of 37 minutes. For example, I reduced the timeout of one of our applications to 2 minutes and then set the timeout of another to 1 minute. After waiting over a minute, I get the "session is invalid" error in the application with a timeout of two minutes. The issue remains until I quit the browser. This experiment would seem to rule out the solution that others have suggested of raising the J2EE timeout value higher than that of the CF application.

    D
    davstott-csl
    Participant
    July 19, 2011

    We experienced the same thing with our CF 8.0.1 standard servers, the only solution we've found so far is forcibly expiring the jsessionid cookie from an affected user's browser, either using cfcookie in the exception handlers or manually intervening at their browser. I hate to call that a solution really, it's more a work around. It's certainly not giving a good user experience. It's definately not affecting all of our users and it's more prevalent in those CF applications with a longer than average session timeout

    My working hypothesis is that since the latest security update was applied, JRun's sessions are now being cleaned up more thoroughly when they time out, but CF doesn't always issue a new, clean, J2EE session when a browser attempts to resume an expired session.

    Some people have reported benefits from setting JRun's session-timeout to be greater than Coldfusion's session timeout (JRun's default was 30 minutes for our Coldfusion servers), but that didn't work for us.

    There are quite a lot of references to this particular issue on the internet: http://forums.adobe.com/message/1002510#1002510 http://shilpikm.blogspot.com/2011/03/update-on-security-hot-fix-feb-2011.html

    To make sure we're talking about a similar thing, the stack trace of our exceptions are all this:

    java.lang.IllegalStateException: Session is invalid
            at jrun.servlet.session.JRunSession.checkSessionValidity(JRunSession.java:394)
            at jrun.servlet.session.JRunSession.getMaxInactiveInterval(JRunSession.java:111)
            at coldfusion.runtime.J2eeSessionScope.SetMaxInactiveInterval(J2eeSessionScope.java:99)
            at coldfusion.runtime.AppHelper.setupJ2eeSessionScope(AppHelper.java:738)
            at coldfusion.runtime.AppHelper.setupSessionScope(AppHelper.java:793)
            at coldfusion.tagext.lang.ApplicationTag.doStartTag(ApplicationTag.java:279)
            at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661)
            at cfApplication2ecfm496389954.runPage(/path/to/our/Application.cfm:6) <- the line with the <cfapplication> tag or equivalent in Application.cfc
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices