SESSION variables across subdomains. How to make them visible?

New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Hi everybody!

I have a website and for some reasons, many subdomains, as part of the same website. Some kind of mainstore.com and phones.mainstore.com, laptops.mainstore.com, and so on.

The problem I am facing is I can't make SESSION variables (and COOKIES) visibile between them. If I login from the first page (mainstore.com) everything is ok, but if I then navigate to phones.mainstore.com, the website is showing me I am not logged in, of course, because SESSION variable used to check if a user is logged in or not is not visible on that subdomain.

I read a lot of articles about this problem, some of them are offering solutions but none worked for me.

Here are the facts:

ColdFusion 9 Enterprise

Windows Server 2008

IIS7

And this is my <CFAPPLICATION> statement:

<CFAPPLICATION NAME="appName" CLIENTMANAGEMENT="No" SETCLIENTCOOKIES="Yes" SETDOMAINCOOKIES="Yes" SESSIONMANAGEMENT="Yes" SESSIONTIMEOUT="#CreateTimeSpan(0, 0, 20, 0)#">

Do you have any idea how to make SESSION variables and COOKIES visible between all subdomains of the same domain?

Thank you!

Views

5.3K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Adobe Community Professional , Jun 17, 2011 Jun 17, 2011
Do it manually and tell us what happens. To do it manually, set setClientCookies to "no" and then use this code<cfcookie name="CFID" domain=".viaromania.eu" value="#session.cfid#"> <cfcookie    name="CFTOKEN" domain=".viaromania.eu" value="#session.cftoken#"> <cfcookie name="JSESSIONID" domain=".viaromania.eu" value="#session.sessionid#">

Likes

Translate

Translate
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

This is exactly what the "setdomaincookies=true" is meant to be more.

I'd start debugging the problem by simply writing a cookie with one site, and making sure it can be read by the other. Then start working out why sessions aren't working once you know that's doing what it should do.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

I created two files:

http://www.viaromania.eu/create_session.cfm

<cfset SESSION.test_session = "Hello SESSION!">

<cfoutput>#SESSION.test_session#</cfoutput>

http://litoral.viaromania.eu/test_session.cfm

<cfif IsDefined("SESSION.test_session")>

     <cfoutput>#SESSION.test_session#</cfoutput>

<cfelse>

     SESSION.test_session is not defined!

</cfif>

Click on the first link and you'll see the session value displayed.

Then click on the second link, and you'll see the session variable is not defined.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Did you not see my post?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

I have changed the files to create one SESSION variable, and one COOKIE. Seems that the COOKIE is visible from the subdomain, but the SESSION is not. Here are the two files again:

http://www.viaromania.eu/create_session.cfm

<cfset SESSION.test_session = "Hello SESSION!">

<cfcookie name="test_cookie" value="#Now()#" domain=".viaromania.eu">


<cfoutput>

<p>SESSION.test_session = #SESSION.test_session#</p>

<p>COOKIE.test_cookie = #COOKIE.test_cookie#</p>

</cfoutput>

http://www.viaromania.eu/test_session.cfm (notice the link is accessing the file from the main domain, not the subdomain)

<p>

<cfif IsDefined("SESSION.test_session")>

<cfoutput>SESSION.test_session = #SESSION.test_session#</cfoutput>

<cfelse>

SESSION.test_session is not defined!

</cfif>

</p>


<p>

<cfif IsDefined("COOKIE.test_cookie")>

<cfoutput>COOKIE.test_cookie = #COOKIE.test_cookie#</cfoutput>

<cfelse>

COOKIE.test_cookie is not defined!

</cfif>

</p>

If you access the test file from the subdomain - click here: http://litoral.viaromania.eu/test_session.cfm it will see the COOKIE but not the SESSION...

So, you're right! The COOKIE is visible but the session not! Any ideas why?

Adrian.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

I think you need to explicitly create the CFID and CFTOKEN cookie variables if you're doing this. Try putting these in your onRequestStart() method:

<cfcookie name="CFID" value="#session.cfid#" expires="#CreateTimeSpan(0,2,0,0)#">
<cfcookie name="CFTOKEN" value="#session.cftoken#" expires="#CreateTimeSpan(0,2,0,0)#">

If you've got setDomainCookies=true set, that should set a cookie which can be read by both.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

I have checked in my CF Administrator. I am using SESSIONID to identify my clients. Do you think this can cause any problems?

As far as I know, if you check I think the CF is not creating CFID and CFTOKEN anymore. Is this related in any way to the "regular" custom SESSION variables?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Honestly can't remember, but I think you need to do those CFCOOKIE statements for whichever cookies your site needs. What cookies are actually being created in your browser when you log in or browse?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

When users log in I create a structure like this:

<cfset SESSION.user = StructNew()>

<cfset SESSION.user.id = 1>

<cfset SESSION.user.first_name = "John">

...

and so on...

Then I check if the SESSION.user variable is defined and the ID it's ok to check if the user is logged in or not.

I did a <CFDUMP VAR="#SESSION#"> and on the maindomain.com I see a bunch of SESSION variables created because I am logged in, but on the subdomain.maindomain.com the only SESSION variables created by default by the system are:

struct
sessionid843015a72de57aed8908547581a1b2d2e511
urltokenCFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE&jsessionid=843015a72de57aed8908547581a1b2d2e511

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

MacLaeod wrote:

When users log in I create a structure like this:

<cfset SESSION.user = StructNew()>

<cfset SESSION.user.id = 1>

<cfset SESSION.user.first_name = "John">

...

and so on...

Then I check if the SESSION.user variable is defined and the ID it's ok to check if the user is logged in or not.

I did a <CFDUMP VAR="#SESSION#"> and on the maindomain.com I see a bunch of SESSION variables created because I am logged in, but on the subdomain.maindomain.com the only SESSION variables created by default by the system are:

struct
sessionid843015a72de57aed8908547581a1b2d2e511
urltokenCFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA4183 9AE&jsessionid=843015a72de57aed8908547581a1b2d2e511

Compare the values of urltoken for domain and subdomains. What's the result?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Domain:

CFID=960503&CFTOKEN=108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40&jsessionid=8430764f68488d6b51712455263c2e3d4557

Subdomain:

CFID=4788774&CFTOKEN=6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE&jsessionid=843015a72de57aed8908547581a1b2d2e511

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Right, stop flapping about with sessions and investigate the cookies as I said in the first post.

Have you looked at the actual cookies you're being given by the applications to your browser?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Here is the result of a <CFDUMP VAR="#COOKIE#">

Domain:

CFID 960503

CFTOKEN 108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40

JSESSIONID 843015a72de57aed8908547581a1b2d2e511

TEST_COOKIE {ts '2011-06-17 05:35:32'}

Subdomain:

CFID 4788774

CFTOKEN 6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE

JSESSIONID 8430764f68488d6b51712455263c2e3d4557

TEST_COOKIE {ts '2011-06-17 05:35:32'}

Notes:

- TEST_COOKIE was set earlier from the domain and seems to be accessible and identical from the subdomain;

- CFID and CFTOKEN, generated by the server, are different for each subdomain;

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

No, the *ACTUAL* cookies. In your browser. Take a look at what a CF app gives you, then you know what you need to replicate.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Domain cookies:

domain cookies.JPG

Subdomain cookies:

subdomain cookies.JPG

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Right, and from that you can clearly see you're not having a domain cookie set for JSESSIONID.

Therefore edit the CFCOOKIE statements I put up earlier to stick the JSESSIONID into a cookie, and put that into your onRequestStart.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

The application was started before Application.CFC started to be popular so it's still using old Application.cfm

Any idea how to use onRequestStart() with Application.cfm?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Not sure I'm afraid, I've only ever used .cfc. I'd imagine Google is your friend.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Anyhow, what are you suggesting is using COOKIES instead of SESSIONS to check if the user is logged in or not?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

No, absolutely not - you need both. In order for ColdFusion to match a user up with a session, it requires that your browser send it a cookie (in your case JSESSIONID). It looks for a session matching that ID, and if it finds one you now have a session scope.

If the browser is not sending back a valid cookie, CF will start you a new session, and you will not be logged in. Making sure each application sends the same JSESSIONID to the browser in a cookie, and that it is a *domain* cookie, should allow you to share session scopes between subdomains.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

I think I got the idea! Thank you so much for your help! That's a good start, making sure the same JSESSIONID is shared between all subdomains.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Any idea how to use onRequestStart() with Application.cfm?

You can't.  But Application.cfm is basically analogous to onRequestStart() anyhow: it runs at the beginning of every request.

--

Adam

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

MacLaeod wrote:

The application was started before Application.CFC started to be popular so it's still using old Application.cfm

Any idea how to use onRequestStart() with Application.cfm?

There is no such method for Application.cfm. In fact, it is unnecassary, as Application.cfm is designed to run when the request starts. you could therefore just put the request code in Application.cfm.

Besides, I would advise you to schedule using Application.cfc later. It is of central importance to the application. Hence, I would make it a project in its own right.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

MacLaeod wrote:

Here is the result of a <CFDUMP VAR="#COOKIE#">

Domain:

CFID 960503

CFTOKEN 108a69f434cc689d-B2001F2B-0F22-4BD9-EEC26FD9EEAB9C40

JSESSIONID 843015a72de57aed8908547581a1b2d2e511

TEST_COOKIE {ts '2011-06-17 05:35:32'}

Subdomain:

CFID 4788774

CFTOKEN 6477fc7649bc8198-2D010AD0-0E06-7884-40DD17CFA41839AE

JSESSIONID 8430764f68488d6b51712455263c2e3d4557

TEST_COOKIE {ts '2011-06-17 05:35:32'}

Notes:

- TEST_COOKIE was set earlier from the domain and seems to be accessible and identical from the subdomain;

- CFID and CFTOKEN, generated by the server, are different for each subdomain;


This comparison shows you what your problem is. The session cookies in domain and subdomain are different.

My advice is: don't use or even mention CFID and CFTOKEN. Use only JSESSIONID. After all, that is what you've elected to use in the Administrator.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 17, 2011 Jun 17, 2011

Copy link to clipboard

Copied

Thank you guys!

I just placed this code <cfcookie name="JSESSIONID" domain=".viaromania.eu" value="#SESSION.sessionid#"> in the Application.cfm file, closed the browser then started the test.

It works fine! It recognize the sessions across the subdomains and it shows me I am logged in no matter what subdomain I am accessing!

Thank you once again for your time and effort! You saved my day!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines