Cannot create a session after the response has been committed

Report · Dec 04, 2017

Windows 2016 Server

MSSQL Web Edition 2017

Coldfusion 2016 - 2016.0.05.303689, Tomcat - 8.5.11.0

IIS 10.0.14393.0

I randomly get an error emailed to me from multiple sites (see below) how can I resolve this? No other information is provided to solve the problem. We did check "Use J2EE session variables" because we need them for a project and then this started to happen. A google search reveals that this could be the issue. Anyone have a solution on how to keep this setting and not get this error?

Cannot create a session after the response has been committed

Type:java.lang.IllegalStateException

StackTrace:

java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2955) at org.apache.catalina.connector.Request.getSession(Request.java:2368) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at coldfusion.runtime.AppHelper.setupJ2eeSessionScope(AppHelper.java:1042) at coldfusion.runtime.AppHelper.setupSessionScope(AppHelper.java:1141) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:415) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151) at coldfusion.CfmServlet.service(CfmServlet.java:219) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor61.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:224) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at com.seefusion.Filter.doFilter(Filter.java:92) at sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:474) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at com.seefusion.SeeFusionValve.invoke(SeeFusionValve.java:52) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:363) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)

Report · Dec 05, 2017

We've been occasionally seeing a flood of these (everything is fine for weeks, then one day we'll get a flood of them for the whole day, then it goes back to normal for a few weeks.) We have not been able to track down the cause. I hope someone has some insight into this and can share it, here.

V/r,

^ _ ^

Report · Dec 08, 2017

An idea. Might this be the result of a request coming in without a session ID? We could test the idea by putting the following condition in onRequestStart, just before the return-statement:

</cfif>

Report · Dec 28, 2017

Hi, BKBK,

I just tried this on my application, and I'm still getting the error message "Cannot create session after the response has been committed".

Matter of fact, the weird thing is that everything was smooth, yesterday, in our DEV environment; but this morning, every time I submit a form, I get this message. Nothing changed between last night and this morning, so I'm really confuzzed by it.

Any thoughts?

V/r,

^ _ ^

Report · Dec 28, 2017

Adding a CFDUMP from the error page. Apparently, something is triggering an error, but the error template is never displayed, even though the email is sent. ???

EXCEPTION - struct

Message

Cannot create a session after the response has been committed

StackTrace

java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3044) at org.apache.catalina.connector.Request.getSession(Request.java:2416) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:897) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:229) at coldfusion.runtime.AppHelper.setupJ2eeSessionScope(AppHelper.java:976) at coldfusion.runtime.AppHelper.setupSessionScope(AppHelper.java:1069) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:361) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:112) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:58) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.xml.rpc.CFCServlet.invoke(CFCServlet.java:155) at coldfusion.xml.rpc.CFCServlet.doPost(CFCServlet.java:331) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:450) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:197) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:722)

Suppressed

EXCEPTION - array [empty]

TagContext

EXCEPTION - array [empty]

Type

java.lang.IllegalStateException

SESSION - struct
ERROREMAIL	[redacted]
MSGTMPLT	false

CGI - struct
AUTH_PASSWORD	[empty string]
AUTH_TYPE	[empty string]
AUTH_USER	[empty string]
CERT_COOKIE	[empty string]
CERT_FLAGS	[empty string]
CERT_ISSUER	[empty string]
CERT_KEYSIZE	[empty string]
CERT_SECRETKEYSIZE	[empty string]
CERT_SERIALNUMBER	[empty string]
CERT_SERVER_ISSUER	[empty string]
CERT_SERVER_SUBJECT	[empty string]
CERT_SUBJECT	[empty string]
CF_TEMPLATE_PATH	[redacted]\components\ERC.cfc
CONTENT_LENGTH	3581
CONTENT_TYPE	application/x-www-form-urlencoded; charset=UTF-8
CONTEXT_PATH	[empty string]
GATEWAY_INTERFACE	[empty string]
HTTPS	off
HTTPS_KEYSIZE	[empty string]
HTTPS_SECRETKEYSIZE	[empty string]
HTTPS_SERVER_ISSUER	[empty string]
HTTPS_SERVER_SUBJECT	[empty string]
HTTP_ACCEPT	/
HTTP_ACCEPT_ENCODING	gzip, deflate
HTTP_ACCEPT_LANGUAGE	en-US,en;q=0.5
HTTP_CONNECTION	keep-alive
HTTP_COOKIE	CFGLOBALS=urltoken%3DCFID%23%3D83547%26CFTOKEN%23%3D274d333caa66e363%2D6F736CE5%2DD431%2DE4E1%2DF52E8925EFF37246%26jsessionid%23%3DC5072E611469A9C02D101B4BDB8F7151%2Ecfusion%23lastvisit%3D%7Bts%20%272017%2D12%2D28%2011%3A13%3A26%27%7D%23timecreated%3D%7Bts%20%272017%2D06%2D08%2009%3A47%3A50%27%7D%23hitcount%3D3559%23cftoken%3Dd7f223c9ef76c2e7%2D2A7AA293%2D093B%2D9F4A%2D027D67AA8F07B549%23cfid%3D18881%23; CFID=Z3s74zilmdrhg6d0o8ssfrtrhsplrrfhk7wkt92pyp1639kitea-83547; CFTOKEN=Z3s74zilmdrhg6d0o8ssfrtrhsplrrfhk7wkt92pyp1639kitea-274d333caa66e363-6F736CE5-D431-E4E1-F52E8925EFF37246; CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fsecurity%2Fcfrdspassword%2Ecfm; JSESSIONID=C5072E611469A9C02D101B4BDB8F7151%2Ecfusion
HTTP_HOST	[redacted].mil
HTTP_REFERER	http:// [redacted]/common/trans_form_new.cfm
HTTP_URL	[empty string]
HTTP_USER_AGENT	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
LOCAL_ADDR	[redacted].mil
PATH_INFO	[empty string]
PATH_TRANSLATED	[redacted]\components\ERC.cfc
QUERY_STRING	method=[redacted]
REMOTE_ADDR	[redacted].203
REMOTE_HOST	[redacted].203
REMOTE_USER	[empty string]
REQUEST_METHOD	POST
SCRIPT_NAME	[redacted]/components/ERC.cfc
SERVER_NAME	[redacted].mil
SERVER_PORT	80
SERVER_PORT_SECURE	0
SERVER_PROTOCOL	HTTP/1.1
SERVER_SOFTWARE	[redacted]
WEB_SERVER_API	[empty string]

Report · Dec 28, 2017

Hi WolfShade

Curious. What was the result of logging the absence of a session ID, as I suggested earlier?

Report · Dec 28, 2017

wrote
Hi
Curious. What was the result of logging the absence of a session ID, as I suggested earlier?

It's not logging anything.

V/r,

^ _ ^

Report · Dec 28, 2017

Here's another weird thing: the form has the ability to dynamically add form elements by clicking an "ADD ITEM [+]" button; it adds fields for shipping items. If I submit with one or two individual items, no problem. As soon as I add a third, I get the session error message.

???

V/r,

^ _ ^

CORRECTION: It gives me a page cannot be displayed error, not the session error. SMH.

Report · Dec 30, 2017

WolfShade wrote
Here's another weird thing: the form has the ability to dynamically add form elements by clicking an "ADD ITEM [+]" button; it adds fields for shipping items. If I submit with one or two individual items, no problem. As soon as I add a third, I get the session error message.

Thanks for the PM.

It appears that, during the dynamic events at the client, ColdFusion inadvertently receives a request, processes it and sends back a response header. That is, it commits a response while still composing the output for the request. Hence the IllegalStateException.

If so, then you can try the following desperate workaround. Put at the beginning:

It tells ColdFusion to flush the output after a relatively large number of bytes is available.

Caveat: There are a number of warnings you should be aware of when using cfflush. Check out the cfflush documentation.

Report · Dec 28, 2017

You should report what you observe as a ColdFusion/Tomcat bug.

Report · Dec 28, 2017

Nevermind.. I finally figured out what is going wrong. I'll PM you the details.

V/r,

^ _ ^

Report · Jan 03, 2018

We changed vulnerability scanning providers and this error popped up.

Took a while to get this far, but it looks like if I post some invalid data as a post using fiddler to our cf app it throws that error (curl was able to reproduce the problem too).

--------- post from fiddler using 'raw' and don't forget the two carriage returns and last period (.)--------------------

POST https://[yoursite.com]/ HTTP/1.1

Connection: keep-alive

Content-Length: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.6 Safari/534.57.2

Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Referer: http://www.qualys.com/was/

.

-------------------------- / end --------------------------------------

If you change that last period to something more like a form submission, like:

name=foo

...then it seems to work fine...if you're having trouble getting the data that's being posted, try getting dumping GetHttpRequestData()*

* if you dump that GetHttpRequestData() and look at GetHttpRequestData().content you might see just a string, BUT there might be a null (or other control characters) in there which I think is what's causing our problem.Â To find the null I needed to something like:

I could then see the string that was posted and the base64 encoded version of the string which would help find any.... odd characters that could be be getting dropped because of character sets, trimming, etc.Â Â Â In notepad++ I was able to see the null value, but decoding the base64 string also showed a extra character in the post.

Adobe Community

Cannot create a session after the response has been committed