Copy link to clipboard
Copied
I updated a test server from ColdFusion 10 to ColdFusion 11 30 days Enterprise trail edition with update 7.
However, every time I hit refresh in my browsers, I get a new cfid. As a result, a valid session is not found so the login page doesn't work.
I checked the session in coldfusion admin page and my cookie in my browsers, they are both created correctly.
This is what I have in my application.cfm
<CFAPPLICATION NAME="TESTWEB"
CLIENTMANAGEMENT="Yes"
SETCLIENTCOOKIES="Yes"
SESSIONMANAGEMENT="Yes"
SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"
SETDOMAINCOOKIES = "No">
However, when I open the page from the host computer, then the cfid doesn't get change everytime I hit refresh, so everything works.
During login, I had code that set cfid/cftoken to cookie, but since I changed to SETCLIENTCOOKIES="Yes", I removed those code. The only other place would be in logout.
I am not using jsessionids, only coldFusion session id.
Timeout for all session variables is 7 days.
Any idea what can cause my problem?
1 Correct answer
In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and HTTPOnly is checked.
Do you think these setting are correct? This is where JEE session is set right?
Copy link to clipboard
Copied
dzhaos wrote:
This is what I have in my application.cfm
<CFAPPLICATION NAME="TESTWEB"
CLIENTMANAGEMENT="Yes"
SETCLIENTCOOKIES="Yes"
SESSIONMANAGEMENT="Yes"
SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"
SETDOMAINCOOKIES = "No">
Timeout for all session variables is 7 days.
It is uncllear what the problem is. First you say sessions don't work, then you say they do.
In any case, you should switch to Application.cfc, using a more realistic value of sessiontimeout.
Application.cfc
<cfcomponent>
<cfscript>
this.name = "TESTWEB";
this.applicationTimeout = "#createTimespan(1,0,0,0)#";
this.clientManagement = "yes";
this.clientStorage = "cookie";
this.sessionManagement = "yes";
this.sessionTimeout = "#createTimeSpan(0,0,20,0)#";
this.setClientCookies = "yes";
this.setDomainCookies = "no";
</cfscript>
</cfcomponent>
Copy link to clipboard
Copied
The session actually works when I am inside the computer that host the server, and I use the browser in there to connect to my website, then everything work.
However, if I am on another computer, and then go to my website, the session doesn't load. In both cases, I check my browser does contain the cfid cookie.
Does this make sense?
Thanks for taking your time to look at my problem.
Copy link to clipboard
Copied
Thanks for the explanation. It is surprising that ColdFusion only writes the cfid cookie. What if you add this to your application file:
<cfif not structKeyExists(cookie,"cfid") or not structKeyExists(cookie,"cftoken")>
<cfcookie name="cfid" value="#session.cfid#">
<cfcookie name="cftoken" value="#session.cftoken#">
</cfif>
Copy link to clipboard
Copied
Sorry, I am not clear in my explanation. What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid, hide_inactive, hide_inactive_project, hide_unimportant, search_block_size for my ColdFusion site cookies.
I have changed application.cfm to application.cfc, but I still have the same problem.
Copy link to clipboard
Copied
Test with different browsers on the remote machine.
Delete the existing cookies and browser cache.
Copy link to clipboard
Copied
Here is my test result:
Local machine:
chrome: cfid doesn't change with refresh - work
IE: : cfid doesn't change with refresh - work
Machine A (I have been testing on this machine, I cleaned the cache and cookie)
chrome: cfid change with refresh - doesn't work
firefox: cfid change with refresh - doesn't work
IE: cfid doesn't change with refresh - work
Machine B
chrome: cfid change with refresh - doesn't work
firefox: cfid doesn't change with refresh - work
IE: cfid doesn't change with refresh - work
Machine B
chrome: cfid doesn't change with refresh - work
firefox: cfid doesn't change with refresh - work
IE: cfid doesn't change with refresh - work
This is pretty weird. Have you seen this happen before? Any suggestion?
Copy link to clipboard
Copied
I also find it weird. I have seen something similar before, but it occurred on the remote, as well as on the local, machine. I think it was caused by session fixation.
Why do you have Machine B twice?
Copy link to clipboard
Copied
my mistake, last one is machine c
Copy link to clipboard
Copied
OK.
You said:
I am not using jsessionids, only coldFusion session id.
But later you added:
What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid,
Did you disable JEE sessions in the administrator?
Copy link to clipboard
Copied
In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and HTTPOnly is checked.
Do you think these setting are correct? This is where JEE session is set right?
Copy link to clipboard
Copied
wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?
Copy link to clipboard
Copied
dzhaos wrote:
wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?
I really can't say, to be honest. I am glad to hear that you can now work with sessions. Quite handy.
Using J2EE sessions is preferable to using CFID and CFToken. When you say your problem is solved, I hope you have been checking for a change in the jsessionid cookie. Coldfusion stops generating CFID and CFToken cookies when you enable J2EE sessions.
Copy link to clipboard
Copied
BKBK, thank you for all your help.
Yes, CFID and CFToken cookies are not longer in my browser. I have also replaced code that check for CFID in login and logout.
Copy link to clipboard
Copied
As BKBK said, now that you are using J2EE session variables, the only cookie value that should be created is jsessionid. It looks like ColdFusion will still create a SESSION.urltoken variable that includes CFID, CFTOKEN, and jsessionid as embedded parameters. But I don't think the CFID or CFTOKEN are used anywhere else. If you still see them within the COOKIE scope, flush your browser cache and delete the cookie(s) for your site. On the next request, you should only see the jsessionid in COOKIE.
-Carl V.
Copy link to clipboard
Copied
dzhaos wrote:
In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and HTTPOnly is checked.
Do you think these setting are correct? This is where JEE session is set right?
Apllication timeout of 7 days ia all right.
I would set the sessiontimeout to 30 minutes.
Sessions could also be set in the XML configuration files. (I would advise anyone not to go there)