ColdFusion 8 Enterprise "Session is invalid"

Hi Al,

We just recently started having the session is invalid error. Any chance that you found a solution to this?

Yeah I've got something like that working as a stop gap, but i'd really like to see the error go away. My next step is to mess around with the web.xml file again and to maybe look into setting the session expire manually by doing a setMaxInactiveInterval(). Maybe setting session timeout directly in at the java layer will keep it from going away before cf thinks it should? My biggest problem right now is that I can't consistently reproduce the error. My site wide error handler is emailing me when it happens, but I cant get it to happen myself. It makes testing very hard. I make 1 change a day and see if the error goes away.......

I'm using cf enterprise 8.0.1(8,0,1,195765). Its running on redhat. I have two physical machines each running two instances for a total of a 4 instance cluster. I'm using application.cfc and the relevant portion looks like this :

<cfcomponent output="false">

<cfset this.name = "xxxxx" />
<cfset this.applicationTimeout = createTimeSpan(5,0,0,0) />
<cfset this.clientManagement = false />
<cfset this.setClientCookies = false />
<cfset this.sessionManagement = true />
<cfset this.sessionTimeout = createTimeSpan(0,2,0,0) />

@ke4pym

We don't have any other java application that we are hosting on these servers. But that's an interesting insight I'll have to remember that one.

As for your other suggestion, I have the session-timeout set to 180 (I'm giving it plenty of extra time for now). Although I have it set in a "web.xml" file not a j2ee-web.xml file. The only place on my file system that I see a "j2ee-web.xml" file is under the default "cfusion" instance that we done use.

We use j2ee session management here (needed for cf clustering and sticky sessions) and no client variables. So my understanding is that there is no need to have setClientCookies = true. Doing that will create the cfid and cftoken cookies, but we don't need them, we only need the jsessionid to identify the session. In any case, session management in general works.

The exciting news from late yesterday is that I now may have found the cause of this problem. I need a day to test, but I'm expecting to post successful results tomorrow morning.

Thanks all for the help with this. Fingers crossed....

So after a day of testing, I can report success. My “Session Is Invalid” errors are gone. Before I get to the answer, lets talk about some things I learned.

With regards to session timeouts, when using J2EE sessions there seem to be two things involved. It seems both CF and the underlying J2EE layer maintain a session timeout “timer”. The “Session Is Invalid” error occurs whenever the J2EE session times out before the CF session times out. Basically, you ask CF for some session variable, session.foo, and CF says, “Sure I know about that session, let me go grab the value from the J2EE layer that is actually storing the value.” But the J2EE layer has already timed out that session and so it says back to CF, “Sorry dude, I can’t help you…. That ‘session is invalid’”.

It seems back in the CF 6 and 7 days, this situation could happen easily if you set your CF session timeout greater than 30 minutes. That’s because the J2EE session timeout had a hard coded maximum of 30 minutes. So say your CF session timeout was 40 minutes, and a user hits your site at 10:00 AM and then again at 10:33 AM. You would see the error because CF thinks the session still exists, but J2EE timed out the session at 10:30. So the solution back then was to edit an XML file to increase the hard coded J2EE session timeout. That’s documented in the technote that BKBK referenced. For what its worth, I could never reproduce the error in CF 8 by simply messing around with that xml file. At one point I hard coded the J2EE session-timeout to 1 minute, but never got the error. So my guess is that this particular bug has been fixed in CF 8. So how was I able to produce the error?

It turns out that a few months back, I started putting together some usage reporting tools for our site. Among other things, this tool would find all the current sessions on the server and print to the screen current information about those sessions (customer name, email address, total hits, etc). To get the list of sessions, I used the undocumented coldfusion.runtime.SessionTracker class. I could loop over this collection of sessions and get data from each session (ie thisSession.emailAddress). As it turned out, simply touching each session like this incremented CF’s session timeout timer, but not that sessions J2EE timer. So lets say the original timeout is 2 hours and a customer first hits the site at 10 AM. I then use my “fancy” session tracking tool at 10:30. At this point our customer sessions are out of sync. J2EE will still timeout the session at 12 PM, 2 hours after the customer last hit our site. But CF will not timeout the session until 12:30 PM, two hours after my session tracking tool referenced that session. So to stop this error from happening, I simply had to stop using my session tracking tool

The joke of it all is that I was using this tool with increased frequency in trying to troubleshoot this error. So the harder I worked to find this error, the more often the error occurred.

Again, thanks everyone for your suggestions. Lets hope that my pain here might help someone else avoid some pain in the future.

Prasanna, have you seen the issue that Tim mentions in his message here (http://forums.adobe.com/message/1002510#1002510), where he determined that his problem was being caused (despite all settings being "right") by his use of a tool that used the undocumented sessiontracker java object? He was saying that using that was in effect confusing the timeouts.

/charlie

Hi Charlie,

I have confirmed that we are not using any such classes in our product.

Only recent issue i can think about is, Our exchange integration

functionality (designed using cfexchange tag) started failing after renewal

of

SSL certificate of our OWA. We have added the new certificate to jvm

certificate store using keytool.exe solved this issue.

Couple of days after this we got bunch of "session invalid" exceptions. I am

not sure whether it is related to this.

By switching on the cf monitoring tool we noticed that there were more than

2000 active sessions which were not ended.

After restarting the JRUN those session were dropped out.

Also we were not able to reproduce this in our dev or preprod or internal

environment. In production also we were not able to reproduce this

consistently.

This issue is affecting the considerable amount of production of our

clients.

Please let us know if you have any clues. Thank you so much for your

reply.

Thanks,

Prasanna Venkatesan.S

Hi Prasanna, I really would not see CFEXCHANGE or certs having any impact on sessions.

It's good to see that you've used the Server Monitor to confirm the number of sessions that you have. Seeing that they have thousands of sessions can indeed be a surprise for many. Did that seem normal? As for a restart clearing them, that does make sense (since CF sessions are stored in memory for the CF process, which is wiped on a restart).

Finally, you say "This issue is affecting the considerable amount of production of our clients." The original poster in this thread was only observing them in his logs, and found them curious. I don't think it was hurting him. When you say it's hurting your users, in what way? Is it that their sessions timeout earlier than they should? And if so, are you POSITIVE that you're getting "session is invalid"? Because there can be other explanations, such as (simply) CF restarting, because again that causes loss of sessions.

Then, too, if you have implemented the new CF Security hotfix, that can be another cause for users losing sessions in certain circumstances (but I don't think it would result in the "session is invalid" message). Have you (or someone else there) applied that (http://www.adobe.com/support/security/bulletins/apsb11-04.html)? For more on the problem some are having, see the comment in Ray's blog entry about the hotfix:

http://www.coldfusionjedi.com/index.cfm/2011/2/8/Security-Bulletin-for-ColdFusion#c7E731FE4-9508-88B0-AE72320DC225F405

And for a solution to that problem, see this blog entry from an Adobe CF engineer:

http://shilpikm.blogspot.com/2011/02/security-hot-fix-update-for-coldfusion.html

But again, this may not be your problem at all, Prasanna. If it's not, and in that this is affecting your production users, I will note that I am available to help on an on-demand consulting basis, where I can join you in a remote desktop sharing session (using Adobe Connect, over the web, so no firewall holes need be opened nor userid's granted). If you may be interested, see the link in my URL. There may be things I'd see in working with you that you're not thinking to mention here. Totally your call. I'm obviously willing also to answer questions here in the forums.

/charlie arehart

charlie@carehart.org

Providing on-demand troubleshooting services for CF and CFBuilder

at http://www.carehart.org/consulting

Great thanks Charlie. I will forward this to my manager and will let you

know the updates.

Thanks,

Prasanna venkatesan.s