new cfid with every refresh

Report · Dec 11, 2015

I updated a test server from ColdFusion 10 to ColdFusion 11 30 days Enterprise trail edition with update 7.

However, every time I hit refresh in my browsers, I get a new cfid. As a result, a valid session is not found so the login page doesn't work.

I checked the session in coldfusion admin page and my cookie in my browsers, they are both created correctly.

This is what I have in my application.cfm

<CFAPPLICATION NAME="TESTWEB"

CLIENTMANAGEMENT="Yes"

SETCLIENTCOOKIES="Yes"

SESSIONMANAGEMENT="Yes"

SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"

SETDOMAINCOOKIES = "No">

However, when I open the page from the host computer, then the cfid doesn't get change everytime I hit refresh, so everything works.

During login, I had code that set cfid/cftoken to cookie, but since I changed to SETCLIENTCOOKIES="Yes", I removed those code. The only other place would be in logout.

I am not using jsessionids, only coldFusion session id.

Timeout for all session variables is 7 days.

Any idea what can cause my problem?

Report · Dec 11, 2015

dzhaos wrote:

This is what I have in my application.cfm

<CFAPPLICATION NAME="TESTWEB"

CLIENTMANAGEMENT="Yes"

SETCLIENTCOOKIES="Yes"

SESSIONMANAGEMENT="Yes"

SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"

SETDOMAINCOOKIES = "No">

Timeout for all session variables is 7 days.

It is uncllear what the problem is. First you say sessions don't work, then you say they do.

In any case, you should switch to Application.cfc, using a more realistic value of sessiontimeout.

Application.cfc

this.name = "TESTWEB";

this.applicationTimeout = "#createTimespan(1,0,0,0)#";

this.clientManagement = "yes";

this.clientStorage = "cookie";

this.sessionManagement = "yes";

this.sessionTimeout = "#createTimeSpan(0,0,20,0)#";

this.setClientCookies = "yes";

this.setDomainCookies = "no";

</cfscript>

</cfcomponent>

Report · Dec 11, 2015

The session actually works when I am inside the computer that host the server, and I use the browser in there to connect to my website, then everything work.

However, if I am on another computer, and then go to my website, the session doesn't load. In both cases, I check my browser does contain the cfid cookie.

Does this make sense?

Thanks for taking your time to look at my problem.

Report · Dec 12, 2015

Thanks for the explanation. It is surprising that ColdFusion only writes the cfid cookie. What if you add this to your application file:

</cfif>

Report · Dec 17, 2015

Sorry, I am not clear in my explanation. What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid, hide_inactive, hide_inactive_project, hide_unimportant, search_block_size for my ColdFusion site cookies.

I have changed application.cfm to application.cfc, but I still have the same problem.

Report · Dec 17, 2015

Test with different browsers on the remote machine.

Delete the existing cookies and browser cache.

Report · Dec 17, 2015

Here is my test result:

Local machine:

chrome: cfid doesn't change with refresh - work

IE: : cfid doesn't change with refresh - work

Machine A (I have been testing on this machine, I cleaned the cache and cookie)

chrome: cfid change with refresh - doesn't work

firefox: cfid change with refresh - doesn't work

IE: cfid doesn't change with refresh - work

Machine B

chrome: cfid change with refresh - doesn't work

firefox: cfid doesn't change with refresh - work

IE: cfid doesn't change with refresh - work

Machine B

chrome: cfid doesn't change with refresh - work

firefox: cfid doesn't change with refresh - work

IE: cfid doesn't change with refresh - work

This is pretty weird. Have you seen this happen before? Any suggestion?

Report · Dec 17, 2015

I also find it weird. I have seen something similar before, but it occurred on the remote, as well as on the local, machine. I think it was caused by session fixation.

Why do you have Machine B twice?

Report · Dec 17, 2015

my mistake, last one is machine c

Report · Dec 17, 2015

OK.

You said:

I am not using jsessionids, only coldFusion session id.

But later you added:

What I meant before is my browser at least contain cfid cookie. It also contain cfid, cftoken, jessionid,

Did you disable JEE sessions in the administrator?

Report · Dec 18, 2015

In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and HTTPOnly is checked.

Do you think these setting are correct? This is where JEE session is set right?

Report · Dec 18, 2015

wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?

Report · Dec 18, 2015

dzhaos wrote:

wow after I checked J2EE session variables, the cfid doesn't change now after refresh for all browsers. So my problem is now solved, can you think of how J2EE session fixed my problem?

I really can't say, to be honest. I am glad to hear that you can now work with sessions. Quite handy.

Using J2EE sessions is preferable to using CFID and CFToken. When you say your problem is solved, I hope you have been checking for a change in the jsessionid cookie. Coldfusion stops generating CFID and CFToken cookies when you enable J2EE sessions.

Report · Dec 21, 2015

BKBK, thank you for all your help.

Yes, CFID and CFToken cookies are not longer in my browser. I have also replaced code that check for CFID in login and logout.

Report · Dec 18, 2015

As BKBK said, now that you are using J2EE session variables, the only cookie value that should be created is jsessionid. It looks like ColdFusion will still create a SESSION.urltoken variable that includes CFID, CFTOKEN, and jsessionid as embedded parameters. But I don't think the CFID or CFTOKEN are used anywhere else. If you still see them within the COOKIE scope, flush your browser cache and delete the cookie(s) for your site. On the next request, you should only see the jsessionid in COOKIE.

-Carl V.

Report · Dec 18, 2015

dzhaos wrote:

In ColdFusion Admin page, I go to Server Settings -> Memory Variable and I see Use J2EE session variables uncheck, Enable Application Variables and Enable Session Variables checked. I have 7 days for timeout for Application Variables and 7 days 20 minutes for Sessions Variables in both Maximum and Default Timeout. In Session Cookie Setting, cookie timeout is 15768000 minutes and HTTPOnly is checked.

Do you think these setting are correct? This is where JEE session is set right?

Apllication timeout of 7 days ia all right.

I would set the sessiontimeout to 30 minutes.

Sessions could also be set in the XML configuration files. (I would advise anyone not to go there)

Adobe Community

new cfid with every refresh

1 Correct answer