cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

java.lang.IllegalStateException: Cannot create a session after the response has been committed

Steve Sommers
Advocate ,
Jul 15, 2015 Jul 15, 2015

Yesterday a new CF11 server that we are prepping for production started spitting out these exceptions while performing a site security scan:

java.lang.IllegalStateException: Cannot create a session after the response has been committed

In googling I found some references to some Tomcat issues but nothing regarding ColdFusion. I know CF11 uses Tomcat but I have no idea what the error is or how to fix it. Anyone have any experience with this error and if so, details please...

Stack trace is as follows, if it helps:

java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2925) at org.apache.catalina.connector.Request.getSession(Request.java:2301) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:229) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:229) at coldfusion.runtime.AppHelper.setupJ2eeSessionScope(AppHelper.java:989) at coldfusion.runtime.AppHelper.setupSessionScope(AppHelper.java:1082) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:397) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:42) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:141) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:58) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151) at coldfusion.CfmServlet.service(CfmServlet.java:219) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor89.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor88.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at sun.reflect.GeneratedMethodAccessor855.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:97) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doNext(FusionReactorRequestHandler.java:472) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doHttpServletRequest(FusionReactorRequestHandler.java:312) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doFusionRequest(FusionReactorRequestHandler.java:192) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.handle(FusionReactorRequestHandler.java:507) at com.intergral.fusionreactor.j2ee.filter.FusionReactorCoreFilter.doFilter(FusionReactorCoreFilter.java:36) at sun.reflect.GeneratedMethodAccessor854.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:79) at sun.reflect.GeneratedMethodAccessor853.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.intergral.fusionreactor.agent.filter.FusionReactorStaticFilter.doFilter(FusionReactorStaticFilter.java:53) at com.intergral.fusionreactor.agent.pointcuts.NewFilterChainPointCut$1.invoke(NewFilterChainPointCut.java:41) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:422) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:198) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)

Thanks.

5.0K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 9 Replies 9
latest latest Jump to latest reply
Sandip_halder Adobe Employee
Adobe Employee ,
Jul 16, 2015 Jul 16, 2015

Hi Steve, are you using a Linux box? Could you please share your environement details?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Steve Sommers
Advocate ,
Jul 16, 2015 Jul 16, 2015
In Response To Sandip_halder

Sorry, forgot to mention that:

  • Windows Server 2012 R2 Datacenter
  • 12 GB RAM
  • IIS 8.5
  • CF 11 Enterprise
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sandip_halder Adobe Employee
Adobe Employee ,
Jul 16, 2015 Jul 16, 2015
In Response To Steve Sommers

What tool are you using to scan? Can you  give us a little more details on that?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Steve Sommers
Advocate ,
Jul 16, 2015 Jul 16, 2015
In Response To Sandip_halder

This was caused by an external scanning vendor: Trustwave. I don't know what tools they use. They may be proprietary. From the alerts I received, I'm not seeing anything out of the ordinary as far as scans go, the tool is just crawling the site. Our sites are scanned regularly multiple times a month. This is our first production CF11 server and the first time we have seen this error. Most of our servers are CF9.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
stevenj1
New Here ,
Oct 22, 2015 Oct 22, 2015
In Response To Steve Sommers

Hi,

I have had the same error message.  Ours is the CF11 standard, IIS 8.5, Windows 2012 on an Amazon server, and Trustwave also scans our server for PCI compliance.  There's a good summary of this issue with Tomcat here: http://stackoverflow.com/questions/8072311/adding-hform-causes-java-lang-illegalstateexception-canno...

This error message first started appearing after upgrading from CF10 to 11 and simultaneously moving from a solid-state server managed by a local service to an Amazon cloud server.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Phil_Cruz
Community Beginner ,
Aug 20, 2016 Aug 20, 2016
In Response To stevenj1

I was getting the same error. We are also on CF11 standard, IIS, Windows 2012 on Amazon EC2 servers. Unchecking the option to "Use J2EE session variables" made the error go away.

Hope that helps someone...

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Terry_2011_
Community Beginner ,
Jul 20, 2017 Jul 20, 2017
LATEST
In Response To Phil_Cruz

Did Adobe ever address this issue?

We just upgraded from CF9 to CF2016 on linux and ran into this issue tonight.

A template that serves up a large sitemap with a lot of output created the error when Bing bot hit it tonight.  Note that this template does NOTHING with sessions.  It queries a datasource and spits out some XML.  That's it. 

"Error","ajp-nio-8016-exec-1","07/20/17","19:16:17","THECFAPP","Cannot create a session after the response has been committed null

The error occurred on line -1. : The specific sequence of files included or processed is: /sitemaps/sitemap.cfm

Frustrating bug because it doesn't appear to have any solution.   It does appear to be a Tomcat related issue.

Apart from the suggestion above to turn J2EE session variables off (which I'd rather not resort to), does anyone know of a way to fix this? 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
seanf75355476
New Here ,
Jul 16, 2015 Jul 16, 2015

Steve,

I'm new to the forums, but not ColdFusion. We experienced a similar problem and discovered that we needed to call cfabort immediately after we forwarded to another page, e.g. getPageContext().forward(). It isn't needed when doing a cflocation as that redirects to another page. I knew what was happening as I saw the same problem developing Java servlet apps. Hope this help.

Sean

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Steve Sommers
Advocate ,
Jul 16, 2015 Jul 16, 2015
In Response To seanf75355476

Thanks. I don't think we are using getPageContext().forward() or similar calls but I'll definitely have the developers check. When I was the developer of the site in question I know I didn't make direct java calls when CF had tags to do the same thing, but the site in question has been out of my control for years -- who knows what dangers lurk...

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices