ColdFusion 8 Enterprise "Session is invalid"

Community Expert

We use j2ee session management here (needed for cf clustering and sticky sessions) and no client variables.

Ah. There is apparently a known issue with J2EE sessions in MX6.1. This link contains the workaround, which involves modifying the file \WEB-INF\web.xml.

P.S.: This is the fix that ke4pym mentioned! Did you try it?

Participating Frequently

So after a day of testing, I can report success. My “Session Is Invalid” errors are gone. Before I get to the answer, lets talk about some things I learned.

With regards to session timeouts, when using J2EE sessions there seem to be two things involved. It seems both CF and the underlying J2EE layer maintain a session timeout “timer”. The “Session Is Invalid” error occurs whenever the J2EE session times out before the CF session times out. Basically, you ask CF for some session variable, session.foo, and CF says, “Sure I know about that session, let me go grab the value from the J2EE layer that is actually storing the value.” But the J2EE layer has already timed out that session and so it says back to CF, “Sorry dude, I can’t help you…. That ‘session is invalid’”.

It seems back in the CF 6 and 7 days, this situation could happen easily if you set your CF session timeout greater than 30 minutes. That’s because the J2EE session timeout had a hard coded maximum of 30 minutes. So say your CF session timeout was 40 minutes, and a user hits your site at 10:00 AM and then again at 10:33 AM. You would see the error because CF thinks the session still exists, but J2EE timed out the session at 10:30. So the solution back then was to edit an XML file to increase the hard coded J2EE session timeout. That’s documented in the technote that BKBK referenced. For what its worth, I could never reproduce the error in CF 8 by simply messing around with that xml file. At one point I hard coded the J2EE session-timeout to 1 minute, but never got the error. So my guess is that this particular bug has been fixed in CF 8. So how was I able to produce the error?

It turns out that a few months back, I started putting together some usage reporting tools for our site. Among other things, this tool would find all the current sessions on the server and print to the screen current information about those sessions (customer name, email address, total hits, etc). To get the list of sessions, I used the undocumented coldfusion.runtime.SessionTracker class. I could loop over this collection of sessions and get data from each session (ie thisSession.emailAddress). As it turned out, simply touching each session like this incremented CF’s session timeout timer, but not that sessions J2EE timer. So lets say the original timeout is 2 hours and a customer first hits the site at 10 AM. I then use my “fancy” session tracking tool at 10:30. At this point our customer sessions are out of sync. J2EE will still timeout the session at 12 PM, 2 hours after the customer last hit our site. But CF will not timeout the session until 12:30 PM, two hours after my session tracking tool referenced that session. So to stop this error from happening, I simply had to stop using my session tracking tool

The joke of it all is that I was using this tool with increased frequency in trying to troubleshoot this error. So the harder I worked to find this error, the more often the error occurred.

Again, thanks everyone for your suggestions. Lets hope that my pain here might help someone else avoid some pain in the future.

Community Expert

Again, <cfset this.setClientCookies = false /> might break sessions, unless you have some other way to maintain sessions from page to page.

Participating Frequently

We use j2ee session management here (needed for cf clustering and sticky sessions) and no client variables. So my understanding is that there is no need to have setClientCookies = true. Doing that will create the cfid and cftoken cookies, but we don't need them, we only need the jsessionid to identify the session. In any case, session management in general works.

The exciting news from late yesterday is that I now may have found the cause of this problem. I need a day to test, but I'm expecting to post successful results tomorrow morning.

Thanks all for the help with this. Fingers crossed....

A

Anonymous

Tim,

The other java application doesn't have to exactly be on your CF servers. The other offending java app could be on any server inside your domain.

Too much time can be just as bad as not enough. Just make sure it matches your ColdFusion setting.

web.xml should do. Though I'm curious to know why you don't have a j2ee-web.xml file. It should be in the same folder as your web.xml file.

A

Anonymous

I have a couple of thoughts.

Do you have another java based web system that everyone uses? Like, say, Peoplesoft? We had to use a rewrite rule to keep an eye out for offending session IDs from Peoplesoft to stop something similar.

Secondly, verify you have this setting

..jrun4\servers\<servername>\cfusion-ear\cfusion-war\web-inf\j2ee-web.xml

<session-config>
<session-timeout>90</session-timeout>
</session-config>

Make sure this matches or slightly exceeds your ColdFusion session time out.

This keeps the java side in sync with the CF side. In the early days this value wouldn't get set or get set incorrectly.

Participating Frequently

@ke4pym

We don't have any other java application that we are hosting on these servers. But that's an interesting insight I'll have to remember that one.

As for your other suggestion, I have the session-timeout set to 180 (I'm giving it plenty of extra time for now). Although I have it set in a "web.xml" file not a j2ee-web.xml file. The only place on my file system that I see a "j2ee-web.xml" file is under the default "cfusion" instance that we done use.

Community Expert

It should be Application.cfc with capital A. Also, you should set this.setClientCookies to true. If you don't, then you will have to manually set CFID and CFTOKEN on the URL of every page. Otherwise your application wont be able to maintain a session from one page request to the next.

Community Expert

Al Baker,

I think it's relevant for us to know your Coldfusion version and the content of the cfapplication tag.

Participating Frequently

I'm using cf enterprise 8.0.1(8,0,1,195765). Its running on redhat. I have two physical machines each running two instances for a total of a 4 instance cluster. I'm using application.cfc and the relevant portion looks like this :

<cfcomponent output="false">

<cfset this.name = "xxxxx" />
<cfset this.applicationTimeout = createTimeSpan(5,0,0,0) />
<cfset this.clientManagement = false />
<cfset this.setClientCookies = false />
<cfset this.sessionManagement = true />
<cfset this.sessionTimeout = createTimeSpan(0,2,0,0) />

Charlie Arehart

Community Expert

Al and Tim, while truly understanding the problem may take some effort, have you tried the work around of doing a try/catch on the CFAPPLICATION tag, as listed in the comment in this blog entry:

http://www.pjk.us/paul/index.cfm?mode=entry&entry=9603C7B2-3048-28E9-DAD333835BEAFD8A#c9D057530-3048-28E9-DAA2112B8C50D861

It may at least let you avoid the error while you work to better understand it.

/Charlie (troubleshooter, carehart. org)

Participating Frequently

Yeah I've got something like that working as a stop gap, but i'd really like to see the error go away. My next step is to mess around with the web.xml file again and to maybe look into setting the session expire manually by doing a setMaxInactiveInterval(). Maybe setting session timeout directly in at the java layer will keep it from going away before cf thinks it should? My biggest problem right now is that I can't consistently reproduce the error. My site wide error handler is emailing me when it happens, but I cant get it to happen myself. It makes testing very hard. I make 1 change a day and see if the error goes away.......

A

Anonymous

Has anyone seen the J2EE "session is invalid" message associated with the <cfapplication> tag?

Does anyone know how to fix it? If it is caused by CF sessions lasting longer than J2EE sessions, how does one change the J2EE session length?