Hi Eric, Yes if sticky sessions were not working or configured properly on your load balancer that would certainly cause you to get new CFID/CFTOKEN on each request.
As of the ColdFusion security patch for session fixation (APSB11-04) if the CFID/CFTOKEN values do not correspond to a valid session on the server it will return new ones. In prior versions of CF it would just create a new session with the CFID/CFTOKEN values that were sent. The problem with that is that your session id's can last a long long time. You can actually disable the session fixation patch by adding a JVM argument: –Dcoldfusion.session.protectfixation=false but I'm not sure that you want to, first I'd double check that your load balancer has sticky sessions setup properly. One way you could validate that would be to create a page that returned something unique to each server in the cluster (eg it's IP address, or CF serial number) then hit that page, if it keeps changing then you are hitting different servers. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Jul 28, 2011 at 8:41 AM, Eric Cobb <[email protected]> wrote: > > I've got a strange problem here that I need some help figuring out. We > have a site running on 8 load balanced CF 9 servers. We're doing a lot of > stuff with Client Variables, and all of our code works fine in > development/staging, but in production none of the client variables > persist. After digging in to it, I find that we're getting a new > CFID/CFTOKEN on every page request, which explains why the variables > don't persist from page to page. > > My question is, could this be a problem at the load balancer? If sticky > sessions were not enabled or configured correctly, wouldn't it cause > this? My gut tells me "yes", but I wanted to see if any of you have run > into this. > > Thanks! > > Eric. > http://www.cfgears.com > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346386 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
