#SESSION# variables and iFrame

mkane1 wrote: On my servers, cookies are set with HTTPOnly, but not Secure.

We are not set for secure cookies, either.

mkane1 wrote: If either is 0, that would force the JSESSIONID to reset each page.

Session timeout is set for 20 minutes.

V/r,

^_^

‌IFRAME runs with lower privilege in IE. Try setting a P3P header in the template loaded into the frame:

<cfheader name="P3P" value="CP='CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR'">

We use FRAMESET, not IFRAMEs. I wonder if that could be it? This P3P issue only affects Internet Explorer.

This is happening in all tested browsers (IE9, IE10, IE11, FireFox, Chrome.)

And while I'm not thrilled about using iframe, I would only use frameset if a gun were held to my head.  (No offense; I know some people like frameset - I am not one of them.)

V/r,

^_^

Frameset works fine in many cases; I use it on a few sites that have run on large ecommerce sites for 10+ years over multiple CF versions, and no issues whatsoever.

tribule wrote: Frameset works fine in many cases; I use it on a few sites that have run on large ecommerce sites for 10+ years over multiple CF versions, and no issues whatsoever.

I can appreciate that some developers either like or don't mind framesets.  Purely subjective.  I will never use framesets unless the client is forcing me to.  And I will do so under protest.

V/r,

^_^

WolfShade wrote: We are getting a different JSESSIONID with every page load.  If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID. EDIT:  I had read, somewhere, that this is supposed to happen - it's a security feature; changing the sessionid is supposed to suppress certain attacks.  HOWEVER, the information of the old JSESSIONID is supposed to be copied to the new JSESSIONID.  I think that's not happening, here.

As I suggested earlier, the likely reason for the requests from the iFrame to be creating new sessions each time is that such requests don't start within the application.  There is therefore no basis for a session to be maintained from one page to the next.

session.mAnswer is present in parent page; iframe does not see it, nor does the CFC.

The crux of the matter. I suspect that iFrame and CFC do have a session, but that it is different from the session that contains mAnswer.

Could you show us the code?

BKBK wrote: Could you show us the code?

I can try to get some pseudo-code posted, here.  Dev network is isolated from internet, and there's a lot of code.

I'll whip something up and post it here, soon.

Thank you!

V/r,

^_^

Wolfshade, earlier you wrote "If I display the JSESSIONID on a page, and refresh it over and over and over, each page load gives a different JSESSIONID".

If that is true, then iframes and CFCs are completely irrelevant. The value for JSESSIONID should not be changing like that.

I suggest you create a simple page in your app's folder that does nothing at all except show the values for COOKIE.JSESSIONID and SESSION.SESSIONID. If those values don't match, or either one changes when you refresh the page, that is the issue that needs to be addressed.

I would then create a new folder, with its own application.cfc/cfm that does nothing except initialize the application name (start with something completely new on that server), enables SESSIONMANAGEMENT with at least 20 minute timeout, and setdomaincookies=true. Then create a simple page in that folder that shows the values for COOKIE.JSESSIONID and SESSION.SESSIONID.

BKBK wrote:


Could you show us the code?

Here is some pseudo-code.

I took the iframe out of the equation, and am putting the form directly in index.cfm:

index.cfm:

<cfset variables.mQuestion = "What is two times two?" />
<cfset session.mAnswer = 4 />
     ...
<form name="subPro" id="subPro" enctype="application/x-www-form-urlencoded" class="dbw">
     ...
    <cfoutput>
        In an effort to cut down on bots, please answer the following question using numbers only:
        <br />#variables.mQuestion#:
        <input name="userInput" id="userInput" maxlength="2" class="userInput" value="" />
        <input type="button" name="submitBtn" id="submitBtn" value="  Submit  " onclick="return validateData(this.form.id);" />
    </cfoutput>
</form>

<script type="text/javascript">

   function validateData(formObjId){

    var formObj = document.forms[formObjId], postURL = "components/dbw.cfc?method=contactus";

    ... // I am doing _some_ client-side validation, here; there is more on server-side.

    postData = $('#' + formObjId).serializeArray();

    $.ajax({

        type: "POST",

        url: postURL,

        data: postData

        }).done(function(data){

            $('#dispResp').html(data);

            });
    }
</script>

dbw.cfc:

<cffunction access="remote" name="contactus" output="yes" returntype="any">

    <cfscript>

    returnResult = "";

    // server-side form validation, here

    if(val(session.mAnswer) neq val(form.userInput)){

        returnResult &= "Math answer does not match.<br />";

        }

    if(len(trim(returnResult))){

        returnResult = "Please correct the following:<br />" & returnResult;

        }

    </cfscript>

    <cfswitch expression="#len(trim(returnResult))#">

        <cfcase value="0">

            <!---
            Display message that all worked out great, thank user.
            --->

        </cfcase>

        <cfdefaultcase>

            #returnResult#

        </cfdefaultcase>

    </cfswitch>

</cffunction>

V/r,

^_^

WolfShade wrote: However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'.

You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call.

Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

BKBK wrote: WolfShade wrote: However, I've got J2EE enabled, setDomainCookies to true (in Application.cfc), and cookies set for HTTPonly.  Now, the .cfcs that process form data via AJaX are throwing the same session error messages - 'mAnswer not defined in session'. You might have stumbled by chance - luckily, perhaps - on a design issue you have to solve. The error message suggests that the CFC uses session variables. However, it also appears that the CFC is available to clients via an AJAX URL call. Such a call is from "outside" the application, and may be made by anyone. Whereas, a session variable is within the context of the application, hence on the "inside". To improve your design, in general, ensure that a CFC that is accessible from the outside does not involve session variables.

BKBK‌‌, if you are suggesting that the application pages should work with SESSION vars etc. and send pertinent details to CFCs as arguments, I would agree with that. Not sure about the inside/outside references.

mkane1 wrote: BKBK, if you are suggesting that the application pages should work with SESSION vars etc. and send pertinent details to CFCs as arguments, I would agree with that. Not sure about the inside/outside references.

Hi, I am not talking about application pages working with session variables and sending data to CFCs as arguments, though that is a valid point. I really mean "inside" and "outside".

A CFC is a service inside an application. If you want it to be accessible by a client from outside the application, you should - as a general rule - avoid using session-scoped variables within the CFC.

tribule wrote: FireFox would be fine, but IE and Chrome refused to work.

That won't fly, here.. IE is the internal browser default.  (  Did you ever get it fixed for all browsers?

^_^

Yes, enabling setdomaincookies was the solution in our case. Have you tried adding it? We were on an old legacy app, with application.cfm so our cfapplication tag looked like this:

<cfapplication name="testApp"

               clientmanagement="true"

               sessionmanagement="true"

               sessiontimeout="#CreateTimeSpan(0,0,60,0)#"

               setclientcookies="true"

               setdomaincookies="true">