Copy link to clipboard
Copied
This is an older CRM application using CF 9 that hasn't been changed in over a year.
As of Sunday between the hours of 8 AM and 4 PM cftoken/cfid disappear in the middle of loading the dashboard. 2/3 of the content appears and then the cfid/cftoken disappear. It only occurs at very specific times of the day.
Any ideas?
Copy link to clipboard
Copied
By what means are you observing it "there" and then "gone"? These are cookies. Do you mean that you are looking at the cookie variables for these? and at one point they are there and then gone? Or do you mean the session scope variables for these? Or might you mean some local variable that you have copied them to?
All this matters, in terms of how/why they may seem to "disappear".
And what is "the dashboard" you are referring to?
Copy link to clipboard
Copied
Charlie-
In the debug output at the bottom of the page in the variables. There is a frame on the left side that loads a list of links where when you view the debug output cfid/cftoken are there. In the next frame, once it loads there is missing data and in the debug output cfid/cftoken are not there.
--- AFTER 4 ---
Client Vars - struct
accexeclist [empty string]
cfid 3402033
cftoken 5f154dbbdb5e6f1d-42129768-E35A-4774-6B0C2C3E013ADA55
communitylist [empty string]
daterange [empty string]
disptype [empty string]
hitcount 51
insearch false
lastvisit {ts '2018-02-21 16:02:26'}
loggedin 1
reporttype [empty string]
rid 130213115149657336576
rtype 1
searchtables records
searchwhere records.aid = 1234
sendstatus 1,4,10,11
show [empty string]
showwarrantytasks 0
timecreated {ts '2018-02-21 15:59:24'}
timezone -1
urltoken CFID=3402033&CFTOKEN=5f154dbbdb5e6f1d-42129768-E35A-4774-6B0C2C3E013ADA55&jsessionid=8430d582544056697ab964683c7d2a50c777
--- AFTER 8 AND BEFORE 4 ---
Client Vars - struct
accexeclist [empty string]
communitylist [empty string]
daterange [empty string]
disptype [empty string]
hitcount 27
insearch false
lastvisit {ts '2018-02-21 15:59:23'}
loggedin 1
reporttype [empty string]
searchtables records
sendstatus 1,4,10,11
show [empty string]
showwarrantytasks 0
timecreated {ts '2018-02-21 15:58:21'}
timezone -1
The dashboard is just the landing page after login.
Copy link to clipboard
Copied
OK, so lots to consider. If it was easy, you wouldn’t be asking for help, right?
1) First, I’ll just say up front that you speak of these things (that debug output, and the dashboard) as if those are things that come with CF. They are not, right? They are things you guys have created? (If you may just be a “user” of your CF app, and only see what is on screen, and don’t have any idea about CFML coding and the like, I realize you may not know either way. Just had to ask.) The rest that follows will presume you are at least a CF developer.
2) As for what’s “gone”, you focus on “the cfid/cftoken”, but do you see that it shows it’s dumping the client variables scope, specifically. And it’s not just “the cfid/cftoken” that are gone, but all the listed variables are empty.
Now, the first thing that’s odd (to me) is that if it’s a dump of the client scope, then if it was that the client scope was truly “gone/removed”, then there should be NOTHING in the dump. Not variables that are empty. So that seems like something is setting them empty. CF would not do that.
But perhaps more interesting, for your question, is that I notice in the two groups, the lastvisit variable is different. The first one is later than the second. This variable is a built-in one, which CF uses to track when the “client” (someone sending a given CFID/CFTOKEN cookie pair) was last on your site. And there’s a timecreated variable also, which differs. I don’t recall that being a built-in client variable. It could be, or it could be something you guys put in the client scope. Anyway, it too is later in the first than the second.
What’s also odd is the hitcount (another built-in variable, tracking how often a visitor sending a given cfid/cftoken pair has visited any CF page in your app). I notice that it’s 51 in the first, and 27 in the second.
3) But the MOST important thing (and what I guess you are really referring to) is that in the first, there is a cfid and cftoken, as well as urltoken. These, too, are built-in client variables (and session variables). They should be populated with whatever cookie was passed into the request. (Or I should add as well that one can pass those in as URL variables, but that’s less common.)
But the fact that there are none at all is odd. And I know that’s what you’re asking about. I’m saying it’s odd that they are gone but these other built-in variables (lastvisit and hitcount) are there, if there’s no cfid/cftoken.
4) It would be useful for you to add to your debugging a dump of both the cookie scope and the URL scope (to see if they are in there). If they are, then they are gone from the client scope, you could fiture out how that happened. If they are not there at all, it again begs the question where they went. And I will share that you can also dump the cgi.http_cookie variable. That really shows what cookie(s), if any, were PASSED in to the request, regardless of what the client scope may suggest.
5)One last thing: while you say the app has not changed in over a year, I wonder if perhaps someone applied CF9 updates on the server, whether a hotfix or cumulative hotfix. I have a blog post on how to find out what updates have been applied, if you have access to the server where CF is installed, and the file system, to look at the coldfusion9 folder. See http://www.carehart.org/blog/client/index.cfm/2012/6/18/what_hotfixes_have_been_applied. If the date created (not the date modified) of the files in the coldfusion9\lib\updates folder might be recent, that could be what happened.
The point is that there are certain CF updates (from the CF8/9 timeframe) that changed some aspects of handling of the incoming cfid/cftoken pairs, though related more to preventing a problem called “session fixation”. Still, both client vars and session vars leverage the same cfid/cftoken, as long as “j2ee sessions” are not enabled in the CF admin.
I realize your head may be swimming, if you’re just a developer and not an admin (and worse, if you are just a user of the app in question). I can’t know, so I’m giving you info that may help you, or perhaps someone else you work with who can take this info and run with it.
But hopefully you can at least add (or get someone to add) the extra debugging I suggested above.
Hope that helps.
/charlie