• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

new cfid with every refresh

Explorer ,
Dec 11, 2015 Dec 11, 2015

Copy link to clipboard

Copied

I updated a test server from ColdFusion 10 to ColdFusion 11 30 days Enterprise trail edition with update 7.

However, every time I hit refresh in my browsers, I get a new cfid. As a result, a valid session is not found so the login page doesn't work.

I checked the session in coldfusion admin page and my cookie in my browsers, they are both created correctly.

This is what I have in my application.cfm

<CFAPPLICATION NAME="TESTWEB"

  CLIENTMANAGEMENT="Yes"

  SETCLIENTCOOKIES="Yes"

  SESSIONMANAGEMENT="Yes"

  SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"

  SETDOMAINCOOKIES = "No">

However, when I open the page from the host computer, then the cfid doesn't get change everytime I hit refresh, so everything works.

During login, I had code that set cfid/cftoken to cookie, but since I changed to SETCLIENTCOOKIES="Yes", I removed those code. The only other place would be in logout.

I am not using jsessionids, only coldFusion session id.

Timeout for all session variables is 7 days.

Any idea what can cause my problem?

Views

2.9K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Explorer , Dec 18, 2015 Dec 18, 2015

In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and  HTTPOnly is checked.


Do you think these setting are correct? This is where JEE session is set right?

Votes

Translate

Translate
Community Expert ,
Dec 11, 2015 Dec 11, 2015

Copy link to clipboard

Copied

dzhaos wrote:

This is what I have in my application.cfm

<CFAPPLICATION NAME="TESTWEB"

  CLIENTMANAGEMENT="Yes"

  SETCLIENTCOOKIES="Yes"

  SESSIONMANAGEMENT="Yes"

  SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"

  SETDOMAINCOOKIES = "No">

Timeout for all session variables is 7 days.

It is uncllear what the problem is. First you say sessions don't work, then you say they do.

In any case, you should switch to Application.cfc, using a more realistic value of sessiontimeout.

Application.cfc

<cfcomponent>

    <cfscript>

        this.name = "TESTWEB";

        this.applicationTimeout = "#createTimespan(1,0,0,0)#";

        this.clientManagement = "yes";

        this.clientStorage = "cookie";

        this.sessionManagement = "yes";

        this.sessionTimeout = "#createTimeSpan(0,0,20,0)#";

        this.setClientCookies = "yes";

        this.setDomainCookies = "no";

     </cfscript>

</cfcomponent>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 11, 2015 Dec 11, 2015

Copy link to clipboard

Copied

The session actually works when I am inside the computer that host the server, and I use the browser in there to connect to my website, then everything work.

However, if I am on another computer, and then go to my website, the session doesn't load. In both cases, I check my browser does contain the cfid cookie.

Does this make sense?

Thanks for taking your time to look at my problem.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 12, 2015 Dec 12, 2015

Copy link to clipboard

Copied

Thanks for the explanation. It is surprising that ColdFusion only writes the cfid cookie. What if you add this to your application file:

<cfif not structKeyExists(cookie,"cfid") or not structKeyExists(cookie,"cftoken")>

    <cfcookie name="cfid" value="#session.cfid#">

    <cfcookie name="cftoken" value="#session.cftoken#">

</cfif>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

Sorry, I am not clear in my explanation. What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid, hide_inactive, hide_inactive_project, hide_unimportant, search_block_size for my ColdFusion site cookies.

I have changed application.cfm to application.cfc, but I still have the same problem.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

Test with different browsers on the remote machine.

Delete the existing cookies and browser cache.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

Here is my test result:

Local machine:

chrome: cfid doesn't change with refresh - work

IE: : cfid doesn't change with refresh - work

Machine A (I have been testing on this machine, I cleaned the cache and cookie)

chrome: cfid change with refresh - doesn't work

firefox: cfid change with refresh - doesn't work

IE: cfid doesn't change with refresh - work


Machine B

chrome: cfid change with refresh - doesn't work

firefox: cfid doesn't change with refresh - work

IE: cfid doesn't change with refresh - work


Machine B

chrome: cfid doesn't change with refresh - work

firefox: cfid doesn't change with refresh - work

IE: cfid doesn't change with refresh - work


This is pretty weird. Have you seen this happen before? Any suggestion?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

I also find it weird. I have seen something similar before, but it occurred on the remote, as well as on the local, machine. I think it was caused by session fixation.

Why do you have Machine B twice?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

my mistake, last one is machine c

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

OK.

You said:

I am not using jsessionids, only coldFusion session id.

But later you added:

What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid,

Did you disable JEE sessions in the administrator?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 18, 2015 Dec 18, 2015

Copy link to clipboard

Copied

In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and  HTTPOnly is checked.


Do you think these setting are correct? This is where JEE session is set right?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 18, 2015 Dec 18, 2015

Copy link to clipboard

Copied

wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2015 Dec 18, 2015

Copy link to clipboard

Copied

dzhaos wrote:

wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?

I really can't say, to be honest. I am glad to hear that you can now work with sessions. Quite handy.

Using J2EE sessions is preferable to using CFID and CFToken. When you say your problem is solved, I hope you have been checking for a change in the jsessionid cookie. Coldfusion stops generating CFID and CFToken cookies when you enable J2EE sessions.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 21, 2015 Dec 21, 2015

Copy link to clipboard

Copied

LATEST

BKBK, thank you for all your help.

Yes, CFID and CFToken cookies are not longer in my browser. I have also replaced code that check for CFID in login and logout. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Dec 18, 2015 Dec 18, 2015

Copy link to clipboard

Copied

As BKBK said, now that you are using J2EE session variables, the only cookie value that should be created is jsessionid.  It looks like ColdFusion will still create a SESSION.urltoken variable that includes CFID, CFTOKEN, and jsessionid as embedded parameters.  But I don't think the CFID or CFTOKEN are used anywhere else.  If you still see them within the COOKIE scope, flush your browser cache and delete the cookie(s) for your site.  On the next request, you should only see the jsessionid in COOKIE.

-Carl V.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2015 Dec 18, 2015

Copy link to clipboard

Copied

dzhaos wrote:

In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and  HTTPOnly is checked.


Do you think these setting are correct? This is where JEE session is set right?

Apllication timeout of 7 days ia all right.

I would set the sessiontimeout to 30 minutes.

Sessions could also be set in the XML configuration files. (I would advise anyone not to go there)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation