Copy link to clipboard
Copied
Windows 2016 Server
MSSQL Web Edition 2017
Coldfusion 2016 - 2016.0.05.303689, Tomcat - 8.5.11.0
IIS 10.0.14393.0
I randomly get an error emailed to me from multiple sites (see below) how can I resolve this? No other information is provided to solve the problem. We did check "Use J2EE session variables" because we need them for a project and then this started to happen. A google search reveals that this could be the issue. Anyone have a solution on how to keep this setting and not get this error?
Cannot create a session after the response has been committed
Type:java.lang.IllegalStateException
StackTrace:
java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2955) at org.apache.catalina.connector.Request.getSession(Request.java:2368) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at coldfusion.runtime.AppHelper.setupJ2eeSessionScope(AppHelper.java:1042) at coldfusion.runtime.AppHelper.setupSessionScope(AppHelper.java:1141) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:415) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151) at coldfusion.CfmServlet.service(CfmServlet.java:219) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor61.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:224) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at com.seefusion.Filter.doFilter(Filter.java:92) at sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:474) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at com.seefusion.SeeFusionValve.invoke(SeeFusionValve.java:52) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:363) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)
Copy link to clipboard
Copied
We've been occasionally seeing a flood of these (everything is fine for weeks, then one day we'll get a flood of them for the whole day, then it goes back to normal for a few weeks.) We have not been able to track down the cause. I hope someone has some insight into this and can share it, here.
V/r,
^ _ ^
Copy link to clipboard
Copied
An idea. Might this be the result of a request coming in without a session ID? We could test the idea by putting the following condition in onRequestStart, just before the return-statement:
<cfif not structKeyExists(session, "sessionID")>
<cflog file="#this.name#" type="Warning" text="Request came in without session ID at #now()#">
<!--- ColdFusion does not process the request --->
<cfreturn false>
</cfif>
Copy link to clipboard
Copied
Hi, BKBK,
I just tried this on my application, and I'm still getting the error message "Cannot create session after the response has been committed".
Matter of fact, the weird thing is that everything was smooth, yesterday, in our DEV environment; but this morning, every time I submit a form, I get this message. Nothing changed between last night and this morning, so I'm really confuzzed by it.
Any thoughts?
V/r,
^ _ ^
Copy link to clipboard
Copied
Adding a CFDUMP from the error page. Apparently, something is triggering an error, but the error template is never displayed, even though the email is sent. ???
EXCEPTION - struct | ||
Message | Cannot create a session after the response has been committed | |
StackTrace | java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3044) at org.apache.catalina.connector.Request.getSession(Request.java:2416) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:897) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:229) at coldfusion.runtime.AppHelper.setupJ2eeSessionScope(AppHelper.java:976) at coldfusion.runtime.AppHelper.setupSessionScope(AppHelper.java:1069) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:361) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:112) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:58) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.xml.rpc.CFCServlet.invoke(CFCServlet.java:155) at coldfusion.xml.rpc.CFCServlet.doPost(CFCServlet.java:331) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:450) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:197) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:722) | |
Suppressed |
| |
TagContext |
| |
Type | java.lang.IllegalStateException |
SESSION - struct | |
ERROREMAIL | [redacted] |
MSGTMPLT | false |
CGI - struct | |
AUTH_PASSWORD | [empty string] |
AUTH_TYPE | [empty string] |
AUTH_USER | [empty string] |
CERT_COOKIE | [empty string] |
CERT_FLAGS | [empty string] |
CERT_ISSUER | [empty string] |
CERT_KEYSIZE | [empty string] |
CERT_SECRETKEYSIZE | [empty string] |
CERT_SERIALNUMBER | [empty string] |
CERT_SERVER_ISSUER | [empty string] |
CERT_SERVER_SUBJECT | [empty string] |
CERT_SUBJECT | [empty string] |
CF_TEMPLATE_PATH | [redacted]\components\ERC.cfc |
CONTENT_LENGTH | 3581 |
CONTENT_TYPE | application/x-www-form-urlencoded; charset=UTF-8 |
CONTEXT_PATH | [empty string] |
GATEWAY_INTERFACE | [empty string] |
HTTPS | off |
HTTPS_KEYSIZE | [empty string] |
HTTPS_SECRETKEYSIZE | [empty string] |
HTTPS_SERVER_ISSUER | [empty string] |
HTTPS_SERVER_SUBJECT | [empty string] |
HTTP_ACCEPT | */* |
HTTP_ACCEPT_ENCODING | gzip, deflate |
HTTP_ACCEPT_LANGUAGE | en-US,en;q=0.5 |
HTTP_CONNECTION | keep-alive |
HTTP_COOKIE | CFGLOBALS=urltoken%3DCFID%23%3D83547%26CFTOKEN%23%3D274d333caa66e363%2D6F736CE5%2DD431%2DE4E1%2DF52E8925EFF37246%26jsessionid%23%3DC5072E611469A9C02D101B4BDB8F7151%2Ecfusion%23lastvisit%3D%7Bts%20%272017%2D12%2D28%2011%3A13%3A26%27%7D%23timecreated%3D%7Bts%20%272017%2D06%2D08%2009%3A47%3A50%27%7D%23hitcount%3D3559%23cftoken%3Dd7f223c9ef76c2e7%2D2A7AA293%2D093B%2D9F4A%2D027D67AA8F07B549%23cfid%3D18881%23; CFID=Z3s74zilmdrhg6d0o8ssfrtrhsplrrfhk7wkt92pyp1639kitea-83547; CFTOKEN=Z3s74zilmdrhg6d0o8ssfrtrhsplrrfhk7wkt92pyp1639kitea-274d333caa66e363-6F736CE5-D431-E4E1-F52E8925EFF37246; CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fsecurity%2Fcfrdspassword%2Ecfm; JSESSIONID=C5072E611469A9C02D101B4BDB8F7151%2Ecfusion |
HTTP_HOST | [redacted].mil |
HTTP_REFERER | |
HTTP_URL | [empty string] |
HTTP_USER_AGENT | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0 |
LOCAL_ADDR | [redacted].mil |
PATH_INFO | [empty string] |
PATH_TRANSLATED | [redacted]\components\ERC.cfc |
QUERY_STRING | method=[redacted] |
REMOTE_ADDR | [redacted].203 |
REMOTE_HOST | [redacted].203 |
REMOTE_USER | [empty string] |
REQUEST_METHOD | POST |
SCRIPT_NAME | [redacted]/components/ERC.cfc |
SERVER_NAME | [redacted].mil |
SERVER_PORT | 80 |
SERVER_PORT_SECURE | 0 |
SERVER_PROTOCOL | HTTP/1.1 |
SERVER_SOFTWARE | [redacted] |
WEB_SERVER_API | [empty string] |
Copy link to clipboard
Copied
Hi WolfShade
Curious. What was the result of logging the absence of a session ID, as I suggested earlier?
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Here's another weird thing: the form has the ability to dynamically add form elements by clicking an "ADD ITEM [+]" button; it adds fields for shipping items. If I submit with one or two individual items, no problem. As soon as I add a third, I get the session error message.
???
V/r,
^ _ ^
CORRECTION: It gives me a page cannot be displayed error, not the session error. SMH.
Copy link to clipboard
Copied
WolfShade wrote
Here's another weird thing: the form has the ability to dynamically add form elements by clicking an "ADD ITEM [+]" button; it adds fields for shipping items. If I submit with one or two individual items, no problem. As soon as I add a third, I get the session error message.
Thanks for the PM.
It appears that, during the dynamic events at the client, ColdFusion inadvertently receives a request, processes it and sends back a response header. That is, it commits a response while still composing the output for the request. Hence the IllegalStateException.
If so, then you can try the following desperate workaround. Put at the beginning:
<cfflush interval=5000>
It tells ColdFusion to flush the output after a relatively large number of bytes is available.
Caveat: There are a number of warnings you should be aware of when using cfflush. Check out the cfflush documentation.
Copy link to clipboard
Copied
You should report what you observe as a ColdFusion/Tomcat bug.
Copy link to clipboard
Copied
Nevermind.. I finally figured out what is going wrong. I'll PM you the details.
V/r,
^ _ ^
Copy link to clipboard
Copied
We changed vulnerability scanning providers and this error popped up.
Took a while to get this far, but it looks like if I post some invalid data as a post using fiddler to our cf app it throws that error (curl was able to reproduce the problem too).
--------- post from fiddler using 'raw' and don't forget the two carriage returns and last period (.)--------------------
POST https://[yoursite.com]/ HTTP/1.1
Connection: keep-alive
Content-Length: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.6 Safari/534.57.2
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://www.qualys.com/was/
.
-------------------------- / end --------------------------------------
If you change that last period to something more like a form submission, like:
name=foo
...then it seems to work fine...if you're having trouble getting the data that's being posted, try getting dumping GetHttpRequestData()*
* if you dump that GetHttpRequestData() and look at GetHttpRequestData().content you might see just a string, BUT there might be a null (or other control characters) in there which I think is what's causing our problem. To find the null I needed to something like:
<cffile action="write" file="#thisFile#.log" output="#GetHttpRequestData().content#-#toBase64(GetHttpRequestData().content)#">
I could then see the string that was posted and the base64 encoded version of the string which would help find any.... odd characters that could be be getting dropped because of character sets, trimming, etc.   In notepad++ I was able to see the null value, but decoding the base64 string also showed a extra character in the post.