• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Mysterious Cookie / Session Problem

Explorer ,
Oct 18, 2007 Oct 18, 2007

Copy link to clipboard

Copied

I'm totally stumped!

Some users are having a problem with our site because CF can't seem to maintain the session. The users keep saying
their browsers are set to accept cookies but CF, for some reason, can't read them. I am having a hard time diagnosing
the problem because I can't recreate it. The website is accessed from two domains and the problem is only encountered
when someone tries to place something in the shopping cart.


The domains are:
nottinghillnotes.com
nottinghillnotes.co.uk

One user was kind enough to spend some of his time helping me. Here's what we have so far...

This particular user has Safari on a Mac (we've also received complaints from users with IE 6)
He verified his browser is set to accept cookies and even sent me a screenshot...
Screenshot 1 - Cookies in the Safari Browser


I had the user browse to a test page that just dumps out the cookie structure using the cfdump tag.
The request sent to the webserver included the proper cookies.
Here is part of the IIS log file:

cs(User-Agent):
Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X;+en)+AppleWebKit/522.11.1+(KHTML,+like+Gecko)+Version/3.0.3+Safari/522.12.1

cs(Cookie): TESTCOOKIE=Accepts%20cookies;+CFID=8270508;+CFTOKEN=17158764;+__utma=63962928.252568895.1191608199.1191608199.1191608199.1;+__utmc=63962928;+__utmz=63962928.1191608199.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);+SHOPPINGCARTID=DD899Y743NM;+__utmb=63962928

You can see that IIS received the proper cookie information. However, a screenshot of the page reveals that ColdFusion
doesn't see the cookies...
Screenshot 2 - Dump of Cookie Structure in Safari

I accessed the page from Firefox on a Windows box and every thing worked just fine...
Here's part of the IIS log from my request...

cs(User-Agent):
Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.8.1.7)+Gecko/20070914+Firefox/2.0.0.7

cs(Cookie): __utmz=63962928.1191608834.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);+__utmb=63962928;+__utma=63962928.231190015.1191608834.1191608834.1191610125.2;+CFID=8271468;+CFTOKEN=89846209;+TESTCOOKIE=Accepts%20cookies;+__utmc=63962928;+SHOPPINGCARTID=GV872Z524NM

Here's my screenshot:
Screenshot 3 - Dump of Cookie Structure in Firefox

I did notice that the cookie strings in the IIS log files were in a different order. I don't know if that might have something to
do with it.

So anyone have some insight or suggestions?

FYI...
I've got a couple of test pages if anyone wants to give it a try. I'm hoping a couple of you have Safari on a Mac and can give
me some feedback.

If you visit the homepage first you'll get a couple of other cookies (TESTCOOKIE, SHOPPINGCARTID).
Here's a link to the cookie test page (courtesy Ben Nadel, Thanks Ben!)
Cookie Test Page

And here's a link to the page that dumps the cookie structure...
Dump of Cookie Structure

Thanks in advance for any help with this!!!

Edit: By the way, I had the Safari user delete the cookies in his browser a number of times. Each time he returned to the
site, the cookies were written properly to the browser. I also had him try both the .com address and the .co.uk address.
You can see both sets of cookies in the first screenshot above.



TOPICS
Advanced techniques

Views

1.8K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Oct 18, 2007 Oct 18, 2007

Copy link to clipboard

Copied

You have done some good analysis and testing there so hopefully you can
get an answer. I think you may have already covered and ruled out some
of these potential problems, but I will list them so you can be sure.

As well as the browser itself, some anti-spam/advertising add on
software will block/scrub/eliminate cookies.

Additionally firewalls and proxy servers can affect this issue.

Your multiple domains may be a factor in this. That one of these agents
is disregarding the cookie because it considers it to be from a
different source.

HTH
Ian

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 18, 2007 Oct 18, 2007

Copy link to clipboard

Copied

A few questions here:

1) How is your <cfapplication> tag set up? Can you provide a code snippet?
2) Are you using client vars? If so, where are you storing them (registry ,db, etc)
3) Are you using the <cfcookie> tag anywhere? Or are you letting the <cfapplication> tag take care of everything?

One side-note: does your site use pop-up windows at all? I've seen pop-up blocker software (such as Yahoo) actually destroy/lose in-memory cookie data when opening a pop-up window that it actually intended to block. I was only able to reproduce this a year or two ago with very specific versions of Yahoo pop-up blocker (later versions appeared to fix the bug)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 18, 2007 Oct 18, 2007

Copy link to clipboard

Copied

My firm inherited this app. Initially there was no Application.cfm file. A "ShoppingCartID" cookie was set that corresponds
to records in a database table. I added an Application.cfm file with the following...
<cfapplication name="NottingHill" sessionmanagement="YES">

I've since changed it to...
<cfapplication name="NottingHill" sessionmanagement="YES" setclientcookies="NO">
and I set the CFID/CFTOKEN cookies manually so they are written to browsers as "session cookies" so they expire when
the browser closes.

I don't think the problem lies with ColdFusion's session management. Keep in mind... THE APPLICATION WORKS.
(Except, of course, for the times when it doesn't )

Every time someone tries to add a item to the shopping cart, I check for a cookie that was set on a page prior. (Every item
needs to be customized before adding it to the shopping cart so that's when I create my test cookie.) If the test cookie
doesn't exist when they add the item to the cart, they are redirected to the homepage where they are alerted that cookies
are required to use the site.

Here's the thing... Everyone that has called to complain says they have cookies enabled. In the IIS logs, I can confirm that,
sure enough, every time my cookie error has been thrown, the HTTP request has included the proper cookies. That is,
YES, the cookies were set on the client's browser and YES the cookies were included in the request because they exist in
the webserver's log. (That is, they weren't scrubbed by a proxy server or software on the client; they actually reached it to
the webserver.)

I believe that, for whatever reason, IIS is not passing the cookies to ColdFusion OR ColdFusion cannot properly parse the
cookies that the webserver is handing off to it. I don't know exactly how it works behind the scenes but I do believe the
problem lies between ColdFusion and the webserver.

In the last week the error has been thrown for 9 unique IP addresses.
2 Mac Safari
1 IE 7 Vista
2 IE 7 XP
4 IE 6 XP

I've added some more changes to the site today. Now, if my cookie is not detected, I redirect to some diagnostic code
(based on Ben Nadel's code again) . The diagnostic code redirects to itself a few times and checks to see if the CFID /
CFTOKEN values have changed. The result and other CGI variables are written to a database log and emailed to me then
the script redirects back to the home page and alerts the user that cookies couldn't be detected.

I'll let you guys know what I find. In the meantime, someone give me a reality check. Is my logic sound as far as what I
think is wrong? (i.e. the problem lies between CF and IIS and not between the browser and IIS)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 18, 2007 Oct 18, 2007

Copy link to clipboard

Copied

It's a shot in the dark, but I'd seriously recommend setting "setclientcookies" to "YES". All sites that I've worked on have done this, and it is still very possible to set "in-memory" cookies (such that they expire immediately when the browser is closed)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 18, 2007 Oct 18, 2007

Copy link to clipboard

Copied

quote:

Originally posted by: Grizzly9279
It's a shot in the dark, but I'd seriously recommend setting "setclientcookies" to "YES". All sites that I've worked on have done this, and it is still very possible to set "in-memory" cookies (such that they expire immediately when the browser is closed)



Thanks Grizz,
I'm pretty sure if you don't specify setClientCookies, it defaults to Yes regardless. I just ran a test to verify this; the cookies are written.

At any rate, for my problem, there hasn't been a single instance that I could verify where the cookies weren't written to the
client. If I set my browser to block cookies altogether I can recreate what happens to the users that have complained.
However, when I look at the IIS webserver logs, there is no http cookie string included from my request (which is
expected). This is not what happens in the other instances. In the users' instances, the http cookie string exists and
contains the correct cookie variables. ColdFusion doesn't recognize any cookie in this http request. I'm wondering if one
of the Google Analytics cookies (prefaced by ___utm...) is somehow malformed. Wonder if this would cause ColdFusion
to just ignore the entire cookie string.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 19, 2007 Oct 19, 2007

Copy link to clipboard

Copied

Well, for now, I'd leave "setClientCookies" on and see if your problem mysteriously disappears (e.g...users top calling in complaining)

I highly doubt Google Analytics (Urchin) cookies would have anything to do with it; it's a fairly ubiquitous tracking platform. You never know though....

One other thing comes to mind: have you been able to get a sense of exactly how long these users are on the site before this happens? What do your session timeout settings look like?

You can control the ColdFusion session timeout settings via the CFADMIN, or from within the <cfapplication> tag itself. One thing to be cautious of however; JRun also has it's OWN timeout setting that you could be battling with.

The /WEB-INF/web.xml file allows you to configure timeout settings, and you can read more on that here:
http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet13.htm

But what I'm getting at is, if the ColdFusion timeout settings are set to a higher value than the JRun session timeout settings, than you can end up with some rather strange lost session behavior. If not specified, the JRun session timeout should default to 30 minutes. I can't recall what the ColdFusion session timeout is set to by default.

In any event, I've run into a situation before where we had set our ColdFusion timeouts to 45 minutes, and the JRun timeouts were left at the default 30 minutes. If a user waited ~31+ minutes between clicks, we'd see some rather nasty error messages in the JRun logs, and I believe the user got dumped and assigned a new session.

Also, do you know if you're using J2EE session vars? Is your site hosted in a ColdFusion cluster? If so, we should review your cluster settings. If "sticky sessions" are not enabled, you could find users getting flip-flopped betwen cluster nodes, and session-replication could be failing (just one possibility).

Lots of stuff to think about...there's never one easy answer is there? :)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 15, 2022 Jun 15, 2022

Copy link to clipboard

Copied

did you every find a resolution for this problem? I am having the exact same problem ....

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 15, 2022 Jun 15, 2022

Copy link to clipboard

Copied

LATEST

Steve, how "exact" ? You're also dumping the cookie scope and see no cfid or cftoken? Or do you just mean "people don't stay logged in" or something?

 

These kind of problems often have many different possible causes, so diagnostics are vital to know what is or is not happening.

 

And had I seen this thread when it was started 15 years ago, I'd have proposed that the folks involved should have dumped the cgi.http_cookie var rather than the cookie scope. The former is what reflects what cf GOT from the client, while the latter can reflect what cf SET on the server.

 

Further, I'd have challenged them to do that in a page in its own folder with a blank application.cfm or. cfc, to avoid some impact from any other in a folder/s above it. 

 

You also are not likely using the browsers referred to then, but please confirm both what ones you Are seeing the problem with and also, when the problem  happens for someone using one browser, does it happen also for that user in another, different browser?

 

And are these http or https requests? Are they all to the same domain or different subdomains? We could consider your cf admin settings for these session cookies, as well as your app's settings. 

 

These problems involve LOTS of variables in the client and server side, as well as many moving parts. 

 

The more you can share, the more likely we can try to piece together the evidence to get you to an explanation and solution to your particular problem. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation