SESSION variables across subdomains. How to make them visible?

I created two files:

http://www.viaromania.eu/create_session.cfm

<cfset SESSION.test_session = "Hello SESSION!">

<cfoutput>#SESSION.test_session#</cfoutput>

http://litoral.viaromania.eu/test_session.cfm

<cfif IsDefined("SESSION.test_session")>

     <cfoutput>#SESSION.test_session#</cfoutput>

<cfelse>

     SESSION.test_session is not defined!

</cfif>

Click on the first link and you'll see the session value displayed.

Then click on the second link, and you'll see the session variable is not defined.

Did you not see my post?

I have changed the files to create one SESSION variable, and one COOKIE. Seems that the COOKIE is visible from the subdomain, but the SESSION is not. Here are the two files again:

http://www.viaromania.eu/create_session.cfm

<cfset SESSION.test_session = "Hello SESSION!">

<cfcookie name="test_cookie" value="#Now()#" domain=".viaromania.eu">

<cfoutput>

<p>SESSION.test_session = #SESSION.test_session#</p>

<p>COOKIE.test_cookie = #COOKIE.test_cookie#</p>

</cfoutput>

http://www.viaromania.eu/test_session.cfm (notice the link is accessing the file from the main domain, not the subdomain)

<p>

<cfif IsDefined("SESSION.test_session")>

<cfoutput>SESSION.test_session = #SESSION.test_session#</cfoutput>

<cfelse>

SESSION.test_session is not defined!

</cfif>

</p>

<p>

<cfif IsDefined("COOKIE.test_cookie")>

<cfoutput>COOKIE.test_cookie = #COOKIE.test_cookie#</cfoutput>

<cfelse>

COOKIE.test_cookie is not defined!

</cfif>

</p>

If you access the test file from the subdomain - click here: http://litoral.viaromania.eu/test_session.cfm it will see the COOKIE but not the SESSION...

So, you're right! The COOKIE is visible but the session not! Any ideas why?

Adrian.

I think you need to explicitly create the CFID and CFTOKEN cookie variables if you're doing this. Try putting these in your onRequestStart() method:

<cfcookie name="CFID" value="#session.cfid#" expires="#CreateTimeSpan(0,2,0,0)#">
<cfcookie name="CFTOKEN" value="#session.cftoken#" expires="#CreateTimeSpan(0,2,0,0)#">

If you've got setDomainCookies=true set, that should set a cookie which can be read by both.

I have Use J2EE session variables checked in my CF Administrator. I am using SESSIONID to identify my clients. Do you think this can cause any problems?

As far as I know, if you check Use J2EE session variables I think the CF is not creating CFID and CFTOKEN anymore. Is this related in any way to the "regular" custom SESSION variables?

Honestly can't remember, but I think you need to do those CFCOOKIE statements for whichever cookies your site needs. What cookies are actually being created in your browser when you log in or browse?

When users log in I create a structure like this:

<cfset SESSION.user = StructNew()>

<cfset SESSION.user.id = 1>

<cfset SESSION.user.first_name = "John">

...

and so on...

Then I check if the SESSION.user variable is defined and the ID it's ok to check if the user is logged in or not.

I did a <CFDUMP VAR="#SESSION#"> and on the maindomain.com I see a bunch of SESSION variables created because I am logged in, but on the subdomain.maindomain.com the only SESSION variables created by default by the system are:

MacLaeod wrote: When users log in I create a structure like this: <cfset SESSION.user = StructNew()> <cfset SESSION.user.id = 1> <cfset SESSION.user.first_name = "John"> ... and so on... Then I check if the SESSION.user variable is defined and the ID it's ok to check if the user is logged in or not. I did a <CFDUMP VAR="#SESSION#"> and on the maindomain.com I see a bunch of SESSION variables created because I am logged in, but on the subdomain.maindomain.com the only SESSION variables created by default by the system are: struct sessionid 843015a72de57aed8908547581a1b2d2e511 urltoken CFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA4183 9AE&jsessionid=843015a72de57aed8908547581a1b2d2e511

Compare the values of urltoken for domain and subdomains. What's the result?

Domain:

CFID=960503&CFTOKEN=108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40&jsessionid=8430764f68488d6b51712455263c2e3d4557

Subdomain:

CFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE&jsessionid=843015a72de57aed8908547581a1b2d2e511

Right, stop flapping about with sessions and investigate the cookies as I said in the first post.

Have you looked at the actual cookies you're being given by the applications to your browser?

Here is the result of a <CFDUMP VAR="#COOKIE#">

Domain:

CFID 960503

CFTOKEN 108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40

JSESSIONID 843015a72de57aed8908547581a1b2d2e511

TEST_COOKIE {ts '2011-06-17 05:35:32'}

Subdomain:

CFID 4788774

CFTOKEN 6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE

JSESSIONID 8430764f68488d6b51712455263c2e3d4557

TEST_COOKIE {ts '2011-06-17 05:35:32'}

Notes:

- TEST_COOKIE was set earlier from the domain and seems to be accessible and identical from the subdomain;

- CFID and CFTOKEN, generated by the server, are different for each subdomain;

No, the *ACTUAL* cookies. In your browser. Take a look at what a CF app gives you, then you know what you need to replicate.

Domain cookies:

Subdomain cookies:

Right, and from that you can clearly see you're not having a domain cookie set for JSESSIONID.

Therefore edit the CFCOOKIE statements I put up earlier to stick the JSESSIONID into a cookie, and put that into your onRequestStart.

The application was started before Application.CFC started to be popular so it's still using old Application.cfm

Any idea how to use onRequestStart() with Application.cfm?

Not sure I'm afraid, I've only ever used .cfc. I'd imagine Google is your friend.

Anyhow, what are you suggesting is using COOKIES instead of SESSIONS to check if the user is logged in or not?

No, absolutely not - you need both. In order for ColdFusion to match a user up with a session, it requires that your browser send it a cookie (in your case JSESSIONID). It looks for a session matching that ID, and if it finds one you now have a session scope.

If the browser is not sending back a valid cookie, CF will start you a new session, and you will not be logged in. Making sure each application sends the same JSESSIONID to the browser in a cookie, and that it is a *domain* cookie, should allow you to share session scopes between subdomains.

I think I got the idea! Thank you so much for your help! That's a good start, making sure the same JSESSIONID is shared between all subdomains.

Any idea how to use onRequestStart() with Application.cfm?

You can't.  But Application.cfm is basically analogous to onRequestStart() anyhow: it runs at the beginning of every request.

--

Adam

MacLaeod wrote: The application was started before Application.CFC started to be popular so it's still using old Application.cfm Any idea how to use onRequestStart() with Application.cfm?

There is no such method for Application.cfm. In fact, it is unnecassary, as Application.cfm is designed to run when the request starts. you could therefore just put the request code in Application.cfm.

Besides, I would advise you to schedule using Application.cfc later. It is of central importance to the application. Hence, I would make it a project in its own right.

MacLaeod wrote: Here is the result of a <CFDUMP VAR="#COOKIE#"> Domain: CFID 960503 CFTOKEN 108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40 JSESSIONID 843015a72de57aed8908547581a1b2d2e511 TEST_COOKIE {ts '2011-06-17 05:35:32'} Subdomain: CFID 4788774 CFTOKEN 6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE JSESSIONID 8430764f68488d6b51712455263c2e3d4557 TEST_COOKIE {ts '2011-06-17 05:35:32'} Notes: - TEST_COOKIE was set earlier from the domain and seems to be accessible and identical from the subdomain; - CFID and CFTOKEN, generated by the server, are different for each subdomain;

This comparison shows you what your problem is. The session cookies in domain and subdomain are different.

My advice is: don't use or even mention CFID and CFTOKEN. Use only JSESSIONID. After all, that is what you've elected to use in the Administrator.

Thank you guys!

I just placed this code <cfcookie name="JSESSIONID" domain=".viaromania.eu" value="#SESSION.sessionid#"> in the Application.cfm file, closed the browser then started the test.

It works fine! It recognize the sessions across the subdomains and it shows me I am logged in no matter what subdomain I am accessing!

Thank you once again for your time and effort! You saved my day!