Session scope error while accessing Administrator after installing ColdFusion 2018 Update 9

After applying Update 9 somehow Default Timeout for Application variables was set to 0 for all - Days, Hours, Minutes, and Seconds. I set Default Timeout to 1 Hour and everything started working without any issues. And having HTTPS enabled for CF Administrator is not a bad thing anyway.

GiedriusV,  I've never heard that happen with any CF update, let alone this latest one. And given what this latest update does, I can't myself see how that would be an effect. Have you done anything to prove that it happened for sure, or more than once?

Also, what do you mean about "having HTTPS enabled for CF Administrator"? That also is not a feature of this or any CF update, nor related to application timeouts, nor it it enabled by default?

I don't ask these questions to scold. Rather it's just to get clarification for you and anyone else who may read this.

Ah, I see now that you had said in your first post that it was you who enabled the https for the CF Admin. You also said there that you were having CF session var problems.

Again, I don't see how either enabling https would get around a CF session issue, let alone how what you report about applicationmanagement would have anything to do with session management--except that I suppose if your applications did not "live" for more than a second, and since sessions are tied to an application, perhaps that's what was happening. But wow, I really would not see how a CF update would cause that.

One last thing: did you check the CF update log, to make sure there was no error in the CF update install log? I discuss more about finding that here: https://coldfusion.adobe.com/2019/03/problems-applying-cf-update-check-first/

Charlie, I am baffled myself.

Prior to installing Update 9, the Coldfusion 2018 was running Update 8. I could successfully login to Administrator. Before the upgrade I noticed that Secure Cookie checkbox was unchecked, so I checked it and submitted changes. Then I proceeded to install Update 9.

After the update I could not login to Coldfusion Administrator.

Non-secure default HTTP URL at port 8500 would give me session scope error right away. Not even login form.

I could not figure out what was happening. So I reverted to Update 8. Everything worked fine and I could log back into Coldfusion Administrator. I verified the settings again, all looked good. That's when I thought that Update 9 had an error or something the first time. So I thought I will reinstall it. After reinstalling Update 9, again I could not login to Coldfusion Administrator. Same session scope error on default URL port 8500.

That's when I started to think that it was possible that CF Admin needed HTTPS connection due to enabling Secure Cookie. I configured Tomcat to listen on HTTPS port 8443, changed neo_security.xml file to allow remote IP connection so I could use different workstation than being on the server directly. I thought server GPOs were too strict.

I was able to login to CF Admin that way, but I would get a session scope error in enter.cfm and had to change the URL from enter.cfm to index.cfm. So at that point it looked ok, but the same session scope error would happen during login at enter.cfm page during every login.

I looked at J2SEE Session, Session, and Application variable settings, they were enabled, but that was when I noticed that Default Timeouts were all at 0.

Honestly, I have no idea when the settings changed. I never set Defaults to 0. Besides I had no issues with Update 8. It all happened after installing 9. As I mentioned before, I reverted to 8, and CF Admin worked. 

At this point everything is working just fine, but it took me a while to figure out what was happening. 

Well, now that is new information. Let's talk first about your having changed the "secure cookie" setting. You say you did that just before trying the update in the first place. Can you share why you did that? 

Having that enabled cause CF to create its internally generated cookies (CFID, CFTOKEN, etc.) with a property such that the cookie could only be sent back to the server IF the browser request was made over https. It's possible that confusion arose related to that. But again, if you had no particular reason to set it, what if you unset it? Even if just to see if things clear up?

Also, either way, did you try a browser other than the one you were in, when this happened? Or did you try clearing your cookies for the domain used for your CF Admin? 

Finally, as for the memory variables timeouts, again, the updates don't change that. I have now applied the update on multiple machines and have NOT seen that. Also, you could search through the files saved by the update to see if any were the neo-runtime.xml (which holds those values). If the update changes any file, it backs it up to the backup directory of the folder created for each update, within the cfusion/hf-updates folder. If you don't see one there, I would highly doubt that the update made that change.

Have you confirmed this problem on any other machine? (Again, I have not. But you should prove things for yourself.)

You certainly don't want to be stuck at not being able to apply updates. If you feel like you find no solution, then report this to the address cfinstal@adobe.com, and they will try to help sort things out.