Skip to main content
T
tmike12345
New Participant
March 24, 2014
Question

has anyone had an issue were ColdFusion session variables never timeout on a server?

  • March 24, 2014
  • 1 reply
  • 1577 views

I am having an issue on one of our production ColdFusion 9 servers where the session variables are never timing out.

I set up a very simple page to make sure I'm not missing something.

Application.CFC page (I tried Application.cfm as well)

<cfcomponent>

<cfset This.name = "TestApplication">
<cfset This.Sessionmanagement=true>
<cfset This.Sessiontimeout="#createtimespan(0,0,1,0)#">
<cfset This.applicationtimeout="#createtimespan(5,0,0,0)#">

<cffunction name="OnApplicationStart">
<cfsetting showdebugoutput="yes" enablecfoutputonly="No">
</cffunction>
<cffunction name="OnRequestStart">
<cfdump var="#this#">
</cffunction>
</cfcomponent>

Index.cfm page

<cfif isDefined("Session.TimeStamp")>
<cfdump var="#Session#">
<cfdump var="#Application#">

<cfoutput>#Session.TimeStamp#</cfoutput>
<cfelse>
<cfset Session.TimeStamp=Now()>

</cfif>

The TimeStamp session variable never times out and once it is set the first time. I can leave the page up for days and it still won't time-out. My maximum session timeout on the server is set to 2 days. The only way to get rid of the session variables is to clear the cookies on the browser.

Has anyone seen this type of issue before?

    This topic has been closed for replies.

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    March 24, 2014

    tmike12345 wrote:

    The TimeStamp session variable never times out and once it is set the first time. I can leave the page up for days and it still won't time-out. My maximum session timeout on the server is set to 2 days. The only way to get rid of the session variables is to clear the cookies on the browser.

    You should not expect a custom session variable to timeout. That wont happen because it is contrary to the design of sessions.

    What times out is the session itself, rather than a variable in it. However, the setting This.Sessionmanagement=true implies that ColdFusion will always provide a session whenever a user opens a page. So, session 1 may time out, but new session 2 may start. It, too, may later time out if left idle for a while, giving way to new session 3. Whereas, the variable session.timestamp may continue to be defined in session 3, as it once was in session 1 and in session 2.

    The most obvious way to verify whether a session has timed out is to check for a change in the system variables session.CFID and session.CFToken. Such a change means the beginning of a new session. That is, of course, one consequence of the end of a session.

    You will be glad to know that Application.cfc itself automatically knows when a session has ended. Its onSessionEnd event will fire when a session ends. I have included it in the following suggestions:

    <cfcomponent>

    <cfset This.name = "TestApplication">
    <cfset This.Sessionmanagement=true>

    <!--- Session timeout usually set at 20 to 30 minutes (comes from studies on users on the web) --->
    <cfset This.Sessiontimeout="#createtimespan(0,0,20,0)#">
    <cfset This.applicationtimeout="#createtimespan(5,0,0,0)#">

    <cffunction name="OnApplicationStart">
    <!--- A page setting: does not belong here--->

    <!---<cfsetting showdebugoutput="yes" enablecfoutputonly="No">--->
    </cffunction>
    <cffunction name="OnRequestStart">

    <!--- Generally bad practice to display anything in the Application file--->
    <!--- <cfdump var="#this#">--->
    </cffunction>

    <cffunction name="onSessionStart">

    <cfset session.timestamp = now()>

    </cffunction>

    <cffunction name="onSessionEnd">

    <cfargument name = "sessionscope" required="yes">

    <cfargument name = "appscope" required="yes">

    <cflog file="#this.name#" type="information" text="The session #arguments.sessionscope.sessionid# started at #arguments.sessionscope.timestamp# and ended at #now()#">

    </cffunction>

    </cfcomponent>

    Index.cfm page

    <!--- The setting This.Sessionmanagement=true means the session will always be defined. There is therefore no need to test for its existence--->

    <cfdump var="#Session#">
    <cfdump var="#Application#">

    T
    tmike12345Author
    New Participant
    March 24, 2014

    Thanks for the quick response. I'm not sure what you mean though. I know that the session cookies themselves won't time out unless I force it to. But why wouldn't a regular session variable for a particular user not time out?

    Another words, I open up IE on that page and I expect the session on the page to time out after 1 minute, including timing out the TimeStamp session variable that I created. On all the other servers I tried that, it times out properly. On this one particular server it does not.

    Thanks

    S
    Steve Sommers
    Legend
    March 24, 2014

    Thanks for the response again.

    To make sure I understand you correctly, because as I mentioned this only happens on one server, not any other ones that we have.

    The TimeStamp variable in the statement here should be reset to a new value every time the session times out. In the server where we are having the issue, the timestamp variable is never changing. As you mention, any session variables that exist for a particular browser should timeout after the timeout period.

    As you can see in the image below, the TimeStamp variable still shows yesterday's date, which means the session never timed out, even though the session timeout setting is 60 seconds.


    I don't know if this is a contributing factor or not but there is a "Use J2EE session variables" in the CF admin options. While I definately prefer using this option, I have experienced some similar strange behaviour and I "think" CF might be allowing java to control the session scope and I'm not sure this.sessiontimeout applies to java sessions. But I could be simply making all this up to match some of the behaviour I have seen.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices