Coldfusion 2021 session lost in 1st app after SAML authentication in 2nd app (not everytime)

Report · Jul 24, 2025

Hi All,

I can't seem to figure this out, so any help would be appreciated. Might be a bug with CF2021.

I got 2 websites with cfapplication name AAA & BBB both under same domain, https, using www

If I login through one app using SAML (one per app), I loose the sessions in the other app (new cftoken generated), and it doesn't happen everytime but it will happen after a few tests, or the 1st time after being idle for a few minutes.

.....mydomain.com/AAA/saml1/response.cfm

.....mydomain.com/BBB/saml2/response.cfm

Also, if i'm just playing around and setting a session variable in the same child folders as the saml response, it won't loose the sessions of the other app. It seems the saml round trip to microsoft azure causes the lost of sessions.

I tried with J2EE sessions on/off

Any ideas how to remedy?

Report · Jul 24, 2025

To start with, I would strongly advise you to switch from Application.cfm to Application.cfc.

Anyway, in which directories are the respective Application.cfm files?

Report · Jul 24, 2025

Thanks for the reply BKBK !

I just noticed that:

*** The session lost happens even with the same website when calling its own saml login process. *** if you give it a minute or two in between saml calls.

It's like leaving my domain causes a new cftoken to be created on arrival from the saml cycle if you wait a minute between tests and is a bit random.

The Application files are both in the same directory as the cf saml call & response

.....mydomain.com/AAA/saml1/application.cfm

.....mydomain.com/BBB/saml2/application.cfm

Report · Jul 25, 2025

First off, I would advise you to host just one application per domain, not two. Especially when you have to use SAML. When there is more than one application per domain, you have to manually construct the session for each application. That can involve a lot of coding.

Let's now move on to the issue. What you've described so far does not seem like a bug in ColdFusion or SAML. The issue is likely due to ColdFusion session cookie collisions between your two applications (AAA and BBB).

Cookies are domain-wide. That is, they are scoped to your mydomain.com. But since the two applications share the same domain, they potentially also share the same cookie name (CFID, CFTOKEN, and possibly JSESSIONID when you use J2EE sessions).

Therefore a possible solution is to set distinct session cookies manually for each individual application. That is, instead of letting ColdFusion set the cookies automatically, which is its default behaviour. There are two separate scenarios, depending on whether you are using ColdFusion sessions or J2EE sessions.

Let's first try to solve the issue for ColdFusion sessions. If it succeeds, we will then look at J2EE sessions.

The key is to set setClientCookies="false" in each application file. It tells ColdFusion not to set CFID/CFTOKEN. You are going to do it manually yourself.

<cfapplication 
    name="AAA"
    sessionManagement="true"
    setClientCookies="false"
    applicationTimeout="#createTimeSpan(1,0,0,0)#"
    sessionTimeout="#createTimeSpan(0,0,20,0)#">

<cfapplication 
    name="BBB"
    sessionManagement="true"
    setClientCookies="false"
    applicationTimeout="#createTimeSpan(1,0,0,0)#"
    sessionTimeout="#createTimeSpan(0,0,20,0)#">

Then in your login logic, for example, directly after successful SAML login (or early in the request), explicitly set cookies with custom names:

// After successful SAML login
cookie.AAA_CFID    = session.CFID;
cookie.AAA_CFTOKEN = session.CFTOKEN;
// Optional: set expiration to 1 day
cookie.AAA_CFID.expires = 1;
cookie.AAA_CFTOKEN.expires = 1;

// After successful SAML login
cookie.BBB_CFID    = session.CFID;
cookie.BBB_CFTOKEN = session.CFTOKEN;
// Optional: set expiration to 1 day
cookie.BBB_CFID.expires = 1;
cookie.BBB_CFTOKEN.expires = 1;

Next, on every request, you have to manually restore the session scope before you can use a variable such as session.myVar. You do this by injecting CFID/CFTOKEN into the request scope to enable ColdFusion to find the correct session in memory. You can do so as follows:

/* Pseudo-code for AAA app (ensure that this occurs early in the request , for example, in Application.cfm or in OnRequestStart of Application.cfc)*/
if (structKeyExists(cookie, "AAA_CFID") and structKeyExists(cookie, "AAA_CFTOKEN")) {
    // Restore standard ColdFusion session keys
    url.CFID    = cookie.AAA_CFID;
    url.CFTOKEN = cookie.AAA_CFTOKEN;
}

/* Pseudo-code for BBB app (ensure that this occurs early in the request , for example, in Application.cfm or in OnRequestStart of Application.cfc)*/
if (structKeyExists(cookie, "BBB_CFID") and structKeyExists(cookie, "BBB_CFTOKEN")) {
    // Restore standard ColdFusion session keys
    url.CFID    = cookie.BBB_CFID;
    url.CFTOKEN = cookie.BBB_CFTOKEN;
}

Url.CFID and url.CFTOKEN override ColdFusion’s session resolver. Now ColdFusion thinks the incoming request uses those session values.

Report · Jul 28, 2025

Thanks BKBK for being helpful!

I understand the workaound.

Although, the session loss happens when triggering the saml login with the same website too, somewhat random. The 2 website scenario is not necessary to replicate the issue and only realized it later.

Report · Jul 28, 2025

Thanks BKBK for being helpful!

I understand the workaound.

By @gmelanson

No worries.

Although, the session loss happens when triggering the saml login with the same website too, somewhat random. The 2 website scenario is not necessary to replicate the issue and only realized it later.

By @gmelanson

Do you mean that sessions are lost when you run just one of the websites? And apparently caused by SAML login?

Report · Jul 28, 2025

To your question, yes the sessions get lost and recreated when running one website if you wait a minute between manually calling saml again an again. At bit random too.

Seems it's because saml is leaving the domin and then coming back that the sessions get lost. Happens under different browsers.

Moving all websites to the same saml login is not a great option for me. We have lots of old websites each with its own login, etc.

Report · Jul 28, 2025

Thanks for clarifying. The sessions getting lost and being recreated when running one website suggests to me that session is not being maintained between requests. One way to maintain sessions when running one website is to use setClientCookies="true" .

That is, something like this

<cfapplication 
    name="AAA"
    sessionManagement="true"
    setClientCookies="true"
    applicationTimeout="#createTimeSpan(1,0,0,0)#"
    sessionTimeout="#createTimeSpan(0,0,20,0)#">

Suggested test for the one-website option:

1. switch on J2EE sessions in the Administrator;

2. restart ColdFusion.

Report · Jul 29, 2025

thanks for all the help BKBK!

Although, the setClientCookies is already set to true, and i've tried with J2EE sessions on & off.

thanks again

Report · Jul 30, 2025

Sessions should have been maintained in the circumstances. That is, with setClientCookies="true". Let's take a step back and start from the beginning.

For simplicity, let's start with one website, AAA. The user logs in using SAML. Assumption: SAML has been properly configured, for example, in the ColdFusion Administrator.

Before we go any further, please convert AAA's Application.cfm to Application.cfc and share it with the forum. Before you do, replace any sensitive information with ***. If you need help with the conversion, then share the Application.cfm and you will get suggestions.