Copy link to clipboard
Copied
Hi everybody!
I have a website and for some reasons, many subdomains, as part of the same website. Some kind of mainstore.com and phones.mainstore.com, laptops.mainstore.com, and so on.
The problem I am facing is I can't make SESSION variables (and COOKIES) visibile between them. If I login from the first page (mainstore.com) everything is ok, but if I then navigate to phones.mainstore.com, the website is showing me I am not logged in, of course, because SESSION variable used to check if a user is logged in or not is not visible on that subdomain.
I read a lot of articles about this problem, some of them are offering solutions but none worked for me.
Here are the facts:
ColdFusion 9 Enterprise
Windows Server 2008
IIS7
And this is my <CFAPPLICATION> statement:
<CFAPPLICATION NAME="appName" CLIENTMANAGEMENT="No" SETCLIENTCOOKIES="Yes" SETDOMAINCOOKIES="Yes" SESSIONMANAGEMENT="Yes" SESSIONTIMEOUT="#CreateTimeSpan(0, 0, 20, 0)#">
Do you have any idea how to make SESSION variables and COOKIES visible between all subdomains of the same domain?
Thank you!
Do it manually and tell us what happens. To do it manually, set setClientCookies to "no" and then use this code
<cfcookie name="CFID"
domain=".viaromania.eu"
value="#session.cfid#">
<cfcookie name="CFTOKEN"
domain=".viaromania.eu"
value="#session.cftoken#">
<cfcookie name="JSESSIONID"
domain=".viaromania.eu"
value="#session.sessionid#">
Copy link to clipboard
Copied
This is exactly what the "setdomaincookies=true" is meant to be more.
I'd start debugging the problem by simply writing a cookie with one site, and making sure it can be read by the other. Then start working out why sessions aren't working once you know that's doing what it should do.
Copy link to clipboard
Copied
I created two files:
http://www.viaromania.eu/create_session.cfm
<cfset SESSION.test_session = "Hello SESSION!">
<cfoutput>#SESSION.test_session#</cfoutput>
http://litoral.viaromania.eu/test_session.cfm
<cfif IsDefined("SESSION.test_session")>
<cfoutput>#SESSION.test_session#</cfoutput>
<cfelse>
SESSION.test_session is not defined!
</cfif>
Click on the first link and you'll see the session value displayed.
Then click on the second link, and you'll see the session variable is not defined.
Copy link to clipboard
Copied
Did you not see my post?
Copy link to clipboard
Copied
I have changed the files to create one SESSION variable, and one COOKIE. Seems that the COOKIE is visible from the subdomain, but the SESSION is not. Here are the two files again:
http://www.viaromania.eu/create_session.cfm
<cfset SESSION.test_session = "Hello SESSION!">
<cfcookie name="test_cookie" value="#Now()#" domain=".viaromania.eu">
<cfoutput>
<p>SESSION.test_session = #SESSION.test_session#</p>
<p>COOKIE.test_cookie = #COOKIE.test_cookie#</p>
</cfoutput>
http://www.viaromania.eu/test_session.cfm (notice the link is accessing the file from the main domain, not the subdomain)
<p>
<cfif IsDefined("SESSION.test_session")>
<cfoutput>SESSION.test_session = #SESSION.test_session#</cfoutput>
<cfelse>
SESSION.test_session is not defined!
</cfif>
</p>
<p>
<cfif IsDefined("COOKIE.test_cookie")>
<cfoutput>COOKIE.test_cookie = #COOKIE.test_cookie#</cfoutput>
<cfelse>
COOKIE.test_cookie is not defined!
</cfif>
</p>
If you access the test file from the subdomain - click here: http://litoral.viaromania.eu/test_session.cfm it will see the COOKIE but not the SESSION...
So, you're right! The COOKIE is visible but the session not! Any ideas why?
Adrian.
Copy link to clipboard
Copied
I think you need to explicitly create the CFID and CFTOKEN cookie variables if you're doing this. Try putting these in your onRequestStart() method:
<cfcookie name="CFID" value="#session.cfid#" expires="#CreateTimeSpan(0,2,0,0)#">
<cfcookie name="CFTOKEN" value="#session.cftoken#" expires="#CreateTimeSpan(0,2,0,0)#">
If you've got setDomainCookies=true set, that should set a cookie which can be read by both.
Copy link to clipboard
Copied
I have checked in my CF Administrator. I am using SESSIONID to identify my clients. Do you think this can cause any problems?
As far as I know, if you check I think the CF is not creating CFID and CFTOKEN anymore. Is this related in any way to the "regular" custom SESSION variables?
Copy link to clipboard
Copied
Honestly can't remember, but I think you need to do those CFCOOKIE statements for whichever cookies your site needs. What cookies are actually being created in your browser when you log in or browse?
Copy link to clipboard
Copied
When users log in I create a structure like this:
<cfset SESSION.user = StructNew()>
<cfset SESSION.user.id = 1>
<cfset SESSION.user.first_name = "John">
...
and so on...
Then I check if the SESSION.user variable is defined and the ID it's ok to check if the user is logged in or not.
I did a <CFDUMP VAR="#SESSION#"> and on the maindomain.com I see a bunch of SESSION variables created because I am logged in, but on the subdomain.maindomain.com the only SESSION variables created by default by the system are:
struct sessionid 843015a72de57aed8908547581a1b2d2e511 urltoken CFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE&jsessionid=843015a72de57aed8908547581a1b2d2e511
Copy link to clipboard
Copied
MacLaeod wrote:
When users log in I create a structure like this:
<cfset SESSION.user = StructNew()>
<cfset SESSION.user.id = 1>
<cfset SESSION.user.first_name = "John">
...
and so on...
Then I check if the SESSION.user variable is defined and the ID it's ok to check if the user is logged in or not.
I did a <CFDUMP VAR="#SESSION#"> and on the maindomain.com I see a bunch of SESSION variables created because I am logged in, but on the subdomain.maindomain.com the only SESSION variables created by default by the system are:
struct sessionid 843015a72de57aed8908547581a1b2d2e511 urltoken CFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA4183 9AE&jsessionid=843015a72de57aed8908547581a1b2d2e511
Compare the values of urltoken for domain and subdomains. What's the result?
Copy link to clipboard
Copied
Domain:
CFID=960503&CFTOKEN=108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40&jsessionid=8430764f68488d6b51712455263c2e3d4557
Subdomain:
CFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE&jsessionid=843015a72de57aed8908547581a1b2d2e511
Copy link to clipboard
Copied
Right, stop flapping about with sessions and investigate the cookies as I said in the first post.
Have you looked at the actual cookies you're being given by the applications to your browser?
Copy link to clipboard
Copied
Here is the result of a <CFDUMP VAR="#COOKIE#">
Domain:
CFID 960503
CFTOKEN 108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40
JSESSIONID 843015a72de57aed8908547581a1b2d2e511
TEST_COOKIE {ts '2011-06-17 05:35:32'}
Subdomain:
CFID 4788774
CFTOKEN 6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE
JSESSIONID 8430764f68488d6b51712455263c2e3d4557
TEST_COOKIE {ts '2011-06-17 05:35:32'}
Notes:
- TEST_COOKIE was set earlier from the domain and seems to be accessible and identical from the subdomain;
- CFID and CFTOKEN, generated by the server, are different for each subdomain;
Copy link to clipboard
Copied
No, the *ACTUAL* cookies. In your browser. Take a look at what a CF app gives you, then you know what you need to replicate.
Copy link to clipboard
Copied
Domain cookies:
Subdomain cookies:
Copy link to clipboard
Copied
Right, and from that you can clearly see you're not having a domain cookie set for JSESSIONID.
Therefore edit the CFCOOKIE statements I put up earlier to stick the JSESSIONID into a cookie, and put that into your onRequestStart.
Copy link to clipboard
Copied
The application was started before Application.CFC started to be popular so it's still using old Application.cfm
Any idea how to use onRequestStart() with Application.cfm?
Copy link to clipboard
Copied
Not sure I'm afraid, I've only ever used .cfc. I'd imagine Google is your friend.
Copy link to clipboard
Copied
Anyhow, what are you suggesting is using COOKIES instead of SESSIONS to check if the user is logged in or not?
Copy link to clipboard
Copied
No, absolutely not - you need both. In order for ColdFusion to match a user up with a session, it requires that your browser send it a cookie (in your case JSESSIONID). It looks for a session matching that ID, and if it finds one you now have a session scope.
If the browser is not sending back a valid cookie, CF will start you a new session, and you will not be logged in. Making sure each application sends the same JSESSIONID to the browser in a cookie, and that it is a *domain* cookie, should allow you to share session scopes between subdomains.
Copy link to clipboard
Copied
I think I got the idea! Thank you so much for your help! That's a good start, making sure the same JSESSIONID is shared between all subdomains.
Copy link to clipboard
Copied
Any idea how to use onRequestStart() with Application.cfm?
You can't. But Application.cfm is basically analogous to onRequestStart() anyhow: it runs at the beginning of every request.
--
Adam
Copy link to clipboard
Copied
MacLaeod wrote:
The application was started before Application.CFC started to be popular so it's still using old Application.cfm
Any idea how to use onRequestStart() with Application.cfm?
There is no such method for Application.cfm. In fact, it is unnecassary, as Application.cfm is designed to run when the request starts. you could therefore just put the request code in Application.cfm.
Besides, I would advise you to schedule using Application.cfc later. It is of central importance to the application. Hence, I would make it a project in its own right.
Copy link to clipboard
Copied
MacLaeod wrote:
Here is the result of a <CFDUMP VAR="#COOKIE#">
Domain:
CFID 960503
CFTOKEN 108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40
JSESSIONID 843015a72de57aed8908547581a1b2d2e511
TEST_COOKIE {ts '2011-06-17 05:35:32'}
Subdomain:
CFID 4788774
CFTOKEN 6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE
JSESSIONID 8430764f68488d6b51712455263c2e3d4557
TEST_COOKIE {ts '2011-06-17 05:35:32'}
Notes:
- TEST_COOKIE was set earlier from the domain and seems to be accessible and identical from the subdomain;
- CFID and CFTOKEN, generated by the server, are different for each subdomain;
This comparison shows you what your problem is. The session cookies in domain and subdomain are different.
My advice is: don't use or even mention CFID and CFTOKEN. Use only JSESSIONID. After all, that is what you've elected to use in the Administrator.
Copy link to clipboard
Copied
Thank you guys!
I just placed this code <cfcookie name="JSESSIONID" domain=".viaromania.eu" value="#SESSION.sessionid#"> in the Application.cfm file, closed the browser then started the test.
It works fine! It recognize the sessions across the subdomains and it shows me I am logged in no matter what subdomain I am accessing!
Thank you once again for your time and effort! You saved my day!