cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Missing session variables and multiple CFID/CFTOKEN

marchmatness
New Here ,
Oct 22, 2012 Oct 22, 2012

We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.

Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions.  We have put troubleshooting measures in place that display values when this occurs.

We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next).  These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers.  In most instances, if the user switches browsers, the same application works fine for them.

In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”.  If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.

When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag.  ** We do not prefer to do this for security reasons.

Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?

1.8K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
Steve Sommers
Advocate ,
Oct 22, 2012 Oct 22, 2012

I've experienced similar behavior, always with IE and always when multipe browser tabs are open. Closing IE and restarting it works, provided my site is the first tab. I'm not certain if this is an IE bug or CF bug as it's been very difficult to debug and it's inconsistent -- sometimes it works fine with tabs open. If this is the same issue and someone knows of a solution, I would be very thankful.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
marchmatness
New Here ,
Oct 23, 2012 Oct 23, 2012

Some additional information:

- If the user is in IE and selects "InPrivate Browsing", everything works fine.

- Deleting the user's profile and creating a new profile, everything works fine.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Oct 23, 2012 Oct 23, 2012
LATEST

My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.

Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.

Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.

Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.

The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.

1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.

2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.

3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions.


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices