CFTOKEN PROBLEM IN CF10

Report · Oct 14, 2012

Hi,Irecently installed Coldfusion 10.When i login from first browser it logs me in and when i try to login from another browser it is throwing me out that there is active session which doesnt happen in CF9.I noticed that CFTOKEN is not genearating new token when i try login from second browser.Any Help would be appreciated.

Report · Oct 18, 2012

Let me clarify,

In CF9, when i use two IE browsers on same machine with out deleting cookies,just taking new session it allows to login into two browsers(not only two it allows more than 2 browsers also) and didnt give any problem,this way am working from past 2 years.

In CF10,when i use two IE browsers on same machine with out deleting cookies,just taking new session it doesnt allow me to login in second browser.

Report · Oct 18, 2012

Sorry, but that doesn't clarify.

Jason

Report · Oct 21, 2012

ok,

In CF10 Two IE browsers on same machine,am able to login in first browser,second browser says there is an existing session.is it possible to have multiple sessions(same IE browsers not differnet) in CF10 on same machine?

regards

Raja..

Report · Oct 29, 2012

Can anyone help me on this issue?

In CF10 Two IE browsers on same machine,am able to login in first browser,second browser says there is an existing session.is it possible to have multiple sessions(same IE browsers not differnet) in CF10 on same machine?

Report · Oct 29, 2012

Mucharla Raja wrote:
Two IE browsers on same machine

12Robots has raised this issue with you quite a number of times. You still haven't said anything more about it, besides just repeating it.

Two Internet Explorer browsers on the same machine? What kind of an installation configuration is that? Why would anyone want to install 2 Internet Explorer instances on the same machine?

Report · Oct 29, 2012

i didnt install 2 Internet Explorer instances.

i am using IE 9 only.

i opened IE browser two times by taking new session(Alt + F).

Report · Oct 29, 2012

More Info,

For CF9,please check this video.

http://youtu.be/HxFTnMeJvCc

For CF10,Please check this video.

http://youtu.be/ZpDvDHPj564

I hope,this will give you a clear idea of my problem......

Report · Oct 29, 2012

Mucharla Raja wrote:
More Info...
I hope,this will give you a clear idea of my problem......

Clear enough. I think we answered this before.

What you encounter is probably the result of the new session handling in ColdFusion 10 to counteract the so-called session-fixation attacks. This session behaviour differs from that of ColdFusion 9. That is why someone reported it as the following bug

https://bugbase.adobe.com/index.cfm?event=bug&id=3339008

It is known that the JVM flag -Dcoldfusion.session.protectfixation=false reverts the behaviour from ColdFusion 10 to ColdFusion 9. However, you said you applied this and it didn't work. Well, it should. Hence my advice that you go to that bug report, and leave a note about your findings.

There is a new function in ColdFusion 10 that you might want to try. On the page, run <cfset sessionRotate()>.

Report · Nov 01, 2012

Hi ,

Dcoldfusion.session.protectfixation=false didnt worked.

sessionRotate() will override the existing one ,that means the first browser session is invalid.

i am using windows 7,64 bit operating system.

am using Coldfusion 10 developer edition.

Report · Nov 02, 2012

I can understand. I have been able to reproduce the issue you face. I, too, am on 64 bit Win 7 and CF10. I used IE9 and Firefox 16 to test.

Assume the Java flag is in operation. The idea was that there could be a way to use a variable, session.isSessionRotated, say, to maintain the same session after 2 separate, but identical, logins. For example, Session.isSessionRotated is made false by default in onSessionStart. It then becomes true when sessionRotate() is processed on the page. Another important precondition is the setting loginStorage = "session".

However, I have had to give up after hours of trying. When I logged in in Firefox, the session I had created in IE using the same credentials was terminated. I went back to IE and logged in, again using the same credentials. That terminated the session in Firefox. This happened with or without the Java flag. Restarting the server didn't help.

Report · Nov 02, 2012

I have just added a note to the bug report.

Report · Oct 29, 2012

Mucharla Raja wrote:
i didnt install 2 Internet Explorer instances.
i am using IE 9 only.
i opened IE browser two times by taking new session(Alt + F).

You are therefore using just one IE browser, not two as you kept saying.