Re: One app kills another's session
If the various cfapplication tags have different names, timeouts, or other different attributes, then that could be the source of the session problems you are seeing. Perhaps the person using MSIE 7 is the only person that visits a certain maintenance page that is influenced by a different cfapplication tag, for example. I would recommend to not use "10" for applicationtimeout. It is more clear if you use the CreateTimeSpan function. You could just rely on the default specified in CF Admin. I have seen some sites where people enabled client variables then never used them anywhere in the site. Make sure that your site actually uses client variables and that client variables are the most appropriate variable type choice. The majority of Web applications do not need client variables enabled. -Mike Chabot On Sat, Dec 17, 2011 at 2:07 PM, Nick Gleason wrote: > > Mike, > > To answer your question, it seems to be tied to a particular browser (IE 7 > or 8) on a particular computer (ie IE 7, 8 work for most users). > > Also, re: session variables, looking in CF Admin, it looks like we have "Use > J2EE Session Variables" as well as "Enable Application Variables" and > "Enable Session Variables". I'm not sure what related measures we have in > the code other than settings in cfapplication, as follows: > > clientmanagement = "Yes" > sessionmanagement = "Yes" > setclientcookies = "Yes" > sessiontimeout = "#REQUEST.SessionTimeout#" > applicationtimeout = "10" > clientStorage = "#request.dsn#"> > --- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349216 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Nick, If the session token is changing on every request then something is interfering with the setting of the cookie. If it is broken for only one browser on a computer, then I would suspect a problem with the browser settings or security software installed on the computer that only integrates with IE. Some iterations of IE 6 and 7 had various problems with cookies and sessions, but all those bugs were fixed long ago. You use the phrase "client variable" in one spot. If you happen to be dealing with client variables instead of session variables, then those would be troubleshot differently. Caching can always be a problem, that is separate from session problems. If Bob visits his account information page, then Mary later visits her account information page, but sees Bob's information instead of her information, then that could be a caching issue unrelated to session variables. If you are showing personalized information on a site not protected by SSL, then you should consider disabling caching. -Mike Chabot On Fri, Dec 16, 2011 at 4:12 PM, Nick Gleason wrote: > > Hi Mike, > > Thanks for the follow up. It seems to only happen with certain computers > and only with IE (FF and Chrome work great). > > Since we can't re-create it here, it's hard to test, but I have seen at > least one example with a user where the cfid and cftoken changed on every > request. > > There is another, possibly unrelated, example where during a login where we > encode the attributes in client variables using wddx and the process does > not work (again, only with IE and only once in a while). It seems to get > fixed when cache is cleared in IE but we can't figure out why that would be. > One thing we are planning on trying is putting in code that will require a > reload (ie no use of cache) to see if that helps. > > Again, I appreciate the thoughts and suggestions. > > Nick > > > >> -Original Message- >> From: Mike Chabot [mailto:mcha...@gmail.com] >> Sent: Thursday, December 15, 2011 5:16 PM >> To: cf-talk >> Subject: Re: One app kills another's session >> >> >> Sometimes switching to J2EE sessions fixes odd session issues. If you >> are able to do this it might fix the problem. J2EE sessions work >> well.Try doing a site-wide search for the cfapplication tag to make >> sure there is only one in each site. Sometimes there are multiple >> cfapplication tags in a site that people forget about.It could be a >> proxy server or firewall messing with things. >> >> Does only one person see this problem? >> If one person has the problem and someone else logs into that person's >> computer, does the other person have the problem? >> Have the person that sees the problem try a different computer or a >> different browser. >> >> -Mike Chabot >> On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson >> wrote: >> > >> > Hey All, >> > >> > Can't say that I've bumped into this before. >> > >> > 1) 2 apps are involved and both use SESSION vars to store user >> details >> > once they login. >> > >> > 2) Both apps are set to setClientCookies in CFAPPLICATION >> > >> > 3) App 1 uses a standard login form where credentials are verified >> and >> > the SESSION vars are set if successful >> > >> > 4) App 2 uses Windows Integrated Authentication to grab the user's ID >> > off the network and use that as part of the authentication process - >> > when successful...SESSION vars are set as in app 1 >> > >> > 5) Both apps have a different name in CFAPPLICATION ;-) >> > >> > 6) both apps reside on the same server running CF 8 against Oracle >> 10G >> > >> > Here's what happens on WinXP Pre SP 3 with IE 7: >> > - >> - >> > -- >> > 1) Open new IE7 window and log in to app1 >> > >> > 2) Open new IE7 window and log in to app 2 >> > >> > 3) Go back to the browser with app 1 and try to navigate through app >> - >> > get kicked to session expired screen >> > - >> - >> > -- >> > >> > This was tested by another user on XP with IE8 and the issue did not >> > occur. >> > >> > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things >> > to checkany ideas? >> > >> > TIA >> > >>
RE: One app kills another's session
Mike, To answer your question, it seems to be tied to a particular browser (IE 7 or 8) on a particular computer (ie IE 7, 8 work for most users). Also, re: session variables, looking in CF Admin, it looks like we have "Use J2EE Session Variables" as well as "Enable Application Variables" and "Enable Session Variables". I'm not sure what related measures we have in the code other than settings in cfapplication, as follows: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349207 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: One app kills another's session
PS - There are multiple a few cfapplication tags in our system. However, it uses FuseBox 3 and my understanding was that this could be done in sub-folders / circuits without confusion. For instance, we use the CFFM file manager with CKEditor in the cms and that has an application.cfm file with a cfapplication tag. I don't think that would disrupt page displays, which are generated from a different part of the system, but if you think there is potential for that, let me know. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349206 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: One app kills another's session
Hi Mike, Thanks for the follow up. It seems to only happen with certain computers and only with IE (FF and Chrome work great). Since we can't re-create it here, it's hard to test, but I have seen at least one example with a user where the cfid and cftoken changed on every request. There is another, possibly unrelated, example where during a login where we encode the attributes in client variables using wddx and the process does not work (again, only with IE and only once in a while). It seems to get fixed when cache is cleared in IE but we can't figure out why that would be. One thing we are planning on trying is putting in code that will require a reload (ie no use of cache) to see if that helps. Again, I appreciate the thoughts and suggestions. Nick > -Original Message- > From: Mike Chabot [mailto:mcha...@gmail.com] > Sent: Thursday, December 15, 2011 5:16 PM > To: cf-talk > Subject: Re: One app kills another's session > > > Sometimes switching to J2EE sessions fixes odd session issues. If you > are able to do this it might fix the problem. J2EE sessions work > well.Try doing a site-wide search for the cfapplication tag to make > sure there is only one in each site. Sometimes there are multiple > cfapplication tags in a site that people forget about.It could be a > proxy server or firewall messing with things. > > Does only one person see this problem? > If one person has the problem and someone else logs into that person's > computer, does the other person have the problem? > Have the person that sees the problem try a different computer or a > different browser. > > -Mike Chabot > On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson > wrote: > > > > Hey All, > > > > Can't say that I've bumped into this before. > > > > 1) 2 apps are involved and both use SESSION vars to store user > details > > once they login. > > > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > > > 3) App 1 uses a standard login form where credentials are verified > and > > the SESSION vars are set if successful > > > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > > off the network and use that as part of the authentication process - > > when successful...SESSION vars are set as in app 1 > > > > 5) Both apps have a different name in CFAPPLICATION ;-) > > > > 6) both apps reside on the same server running CF 8 against Oracle > 10G > > > > Here's what happens on WinXP Pre SP 3 with IE 7: > > - > - > > -- > > 1) Open new IE7 window and log in to app1 > > > > 2) Open new IE7 window and log in to app 2 > > > > 3) Go back to the browser with app 1 and try to navigate through app > - > > get kicked to session expired screen > > - > - > > -- > > > > This was tested by another user on XP with IE8 and the issue did not > > occur. > > > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things > > to checkany ideas? > > > > TIA > > > > Cheers > > -- > > > > > > Bryan Stevenson B.Comm. > > VP & Director of E-Commerce Development Electric Edge Systems Group > > Inc. > > phone: 250.480.0642 > > fax: 250.480.1264 > > cell: 250.920.8830 > > e-mail: br...@electricedgesystems.com > > web: www.electricedgesystems.com > > > > Notice: > > This message, including any attachments, is confidential and may > > contain information that is privileged or exempt from disclosure. It > > is intended only for the person to whom it is addressed unless > > expressly authorized otherwise by the sender. If you are not an > > authorized recipient, please notify the sender immediately and > > permanently destroy all copies of this message and attachments. > > Please consider the environment before printing this e-mail > > > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349205 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Maybe see if you are up to date with CF patches. I would put in a lot of logging code to track the session tokens, as well as other session and cookie variables, and try to isolate exactly where the problem occurs. -Mike Chabot On Thu, Dec 15, 2011 at 8:30 PM, Bryan Stevenson wrote: > > On Thu, 2011-12-15 at 20:16 -0500, Mike Chabot wrote: > >> Sometimes switching to J2EE sessions fixes odd session issues. If you >> are able to do this it might fix the problem. J2EE sessions work >> well. > > > Pretty sure they already are - but I can double checkthanks > >> Try doing a site-wide search for the cfapplication tag to make >> sure there is only one in each site. Sometimes there are multiple >> cfapplication tags in a site that people forget about.It could be a >> proxy server or firewall messing with things. > > 100% none of the above...but thanks > >> >> Does only one person see this problem? > > Nope...I can reproduceit's a real bug ;-) > >> If one person has the problem and someone else logs into that person's >> computer, does the other person have the problem? >> Have the person that sees the problem try a different computer or a >> different browser. >> >> -Mike Chabot > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349200 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
On Thu, 2011-12-15 at 20:16 -0500, Mike Chabot wrote: > Sometimes switching to J2EE sessions fixes odd session issues. If you > are able to do this it might fix the problem. J2EE sessions work > well. Pretty sure they already are - but I can double checkthanks > Try doing a site-wide search for the cfapplication tag to make > sure there is only one in each site. Sometimes there are multiple > cfapplication tags in a site that people forget about.It could be a > proxy server or firewall messing with things. 100% none of the above...but thanks > > Does only one person see this problem? Nope...I can reproduceit's a real bug ;-) > If one person has the problem and someone else logs into that person's > computer, does the other person have the problem? > Have the person that sees the problem try a different computer or a > different browser. > > -Mike Chabot ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349180 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Sometimes switching to J2EE sessions fixes odd session issues. If you are able to do this it might fix the problem. J2EE sessions work well.Try doing a site-wide search for the cfapplication tag to make sure there is only one in each site. Sometimes there are multiple cfapplication tags in a site that people forget about.It could be a proxy server or firewall messing with things. Does only one person see this problem? If one person has the problem and someone else logs into that person's computer, does the other person have the problem? Have the person that sees the problem try a different computer or a different browser. -Mike Chabot On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson wrote: > > Hey All, > > Can't say that I've bumped into this before. > > 1) 2 apps are involved and both use SESSION vars to store user details > once they login. > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > 3) App 1 uses a standard login form where credentials are verified and > the SESSION vars are set if successful > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > off the network and use that as part of the authentication process - > when successful...SESSION vars are set as in app 1 > > 5) Both apps have a different name in CFAPPLICATION ;-) > > 6) both apps reside on the same server running CF 8 against Oracle 10G > > Here's what happens on WinXP Pre SP 3 with IE 7: > > 1) Open new IE7 window and log in to app1 > > 2) Open new IE7 window and log in to app 2 > > 3) Go back to the browser with app 1 and try to navigate through app - > get kicked to session expired screen > > > This was tested by another user on XP with IE8 and the issue did not > occur. > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things to > checkany ideas? > > TIA > > Cheers > -- > > > Bryan Stevenson B.Comm. > VP & Director of E-Commerce Development > Electric Edge Systems Group Inc. > phone: 250.480.0642 > fax: 250.480.1264 > cell: 250.920.8830 > e-mail: br...@electricedgesystems.com > web: www.electricedgesystems.com > > Notice: > This message, including any attachments, is confidential and may contain > information that is privileged or exempt from disclosure. It is intended > only for the person to whom it is addressed unless expressly authorized > otherwise by the sender. If you are not an authorized recipient, please > notify the sender immediately and permanently destroy all copies of this > message and attachments. > Please consider the environment before printing this e-mail > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349179 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: One app kills another's session
Thanks Nick. I can say that this does not happen in IE 8 using default settings, but it is 100% consistent and reproduceable in IE7 with browser default settings. So at least it is not anything to do with odd browser settings The client will be tossing IE7 as their standard when they migrate to Win7 with IE 9 or 10and this issue has only been reported by a single super userand he's gonna install IE8 ;-) Cheers On Thu, 2011-12-15 at 14:03 -0800, Nick Gleason wrote: > Hi Folks, > > This sounds a little like a sporadic but very frustrating issue that we have > experienced. It is IE only and only with some users (we haven't been able > to re-create it in house). We host multiple stand alone versions of our CMS > / CRM application per server using CF 9 Professional which is pretty well > patched. The behavior seems to be that sessions mysteriously reset. In some > cases we have seen this with each page request. In some cases it seems to > kick in when a page is forced into https (or our related use of wddx to > store client variables). In some cases it seems to clear up when the user > clears the cache in IE. > > We had speculated that it might be related to security settings in IE or > perhaps the way that IE handles caching, but we have yet to find a silver > bullet(s). > > It has been very difficult to track down so we're interested in any > information. I've searched a bit for info regarding the session fixation > patch that Pete mentioned, but any more information about how that plays out > in CF apps would be greatly appreciated. > > Thanks in advance, > > Nick > > > -Original Message- > > From: Pete Freitag [mailto:p...@foundeo.com] > > Sent: Thursday, December 15, 2011 11:53 AM > > To: cf-talk > > Subject: Re: One app kills another's session > > > > > > Bryan, > > > > Are these apps running on the same domain or different domains, if they > > are on the same domain then you will need to specify the path in your > > session cookies so they don't invalidate each other (this relatively > > new behavior due to the session fixation security hotfix > > APSB11-04 released in Feb). > > > > Also if you are experiencing a cookie problem on one browser but not > > another make sure you have cleared cookies first. > > > > -- > > Pete Freitag - Adobe Community Professional http://foundeo.com/ - > > ColdFusion Consulting & Products http://petefreitag.com/ - My Blog > > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > > > > > > On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson > > wrote: > > > > > > Hey All, > > > > > > Can't say that I've bumped into this before. > > > > > > 1) 2 apps are involved and both use SESSION vars to store user > > details > > > once they login. > > > > > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > > > > > 3) App 1 uses a standard login form where credentials are verified > > and > > > the SESSION vars are set if successful > > > > > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > > > off the network and use that as part of the authentication process - > > > when successful...SESSION vars are set as in app 1 > > > > > > 5) Both apps have a different name in CFAPPLICATION ;-) > > > > > > 6) both apps reside on the same server running CF 8 against Oracle > > 10G > > > > > > Here's what happens on WinXP Pre SP 3 with IE 7: > > > - > > - > > > -- > > > 1) Open new IE7 window and log in to app1 > > > > > > 2) Open new IE7 window and log in to app 2 > > > > > > 3) Go back to the browser with app 1 and try to navigate through app > > - > > > get kicked to session expired screen > > > - > > - > > > -- > > > > > > This was tested by another user on XP with IE8 and the issue did not > > > occur. > > > > > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things > > > to checkany ideas? > > > > > > TIA > > > > > > Cheers > > > -- > > > > > > > > > Bryan Stevenson B.C
RE: One app kills another's session
Hi Folks, This sounds a little like a sporadic but very frustrating issue that we have experienced. It is IE only and only with some users (we haven't been able to re-create it in house). We host multiple stand alone versions of our CMS / CRM application per server using CF 9 Professional which is pretty well patched. The behavior seems to be that sessions mysteriously reset. In some cases we have seen this with each page request. In some cases it seems to kick in when a page is forced into https (or our related use of wddx to store client variables). In some cases it seems to clear up when the user clears the cache in IE. We had speculated that it might be related to security settings in IE or perhaps the way that IE handles caching, but we have yet to find a silver bullet(s). It has been very difficult to track down so we're interested in any information. I've searched a bit for info regarding the session fixation patch that Pete mentioned, but any more information about how that plays out in CF apps would be greatly appreciated. Thanks in advance, Nick > -Original Message- > From: Pete Freitag [mailto:p...@foundeo.com] > Sent: Thursday, December 15, 2011 11:53 AM > To: cf-talk > Subject: Re: One app kills another's session > > > Bryan, > > Are these apps running on the same domain or different domains, if they > are on the same domain then you will need to specify the path in your > session cookies so they don't invalidate each other (this relatively > new behavior due to the session fixation security hotfix > APSB11-04 released in Feb). > > Also if you are experiencing a cookie problem on one browser but not > another make sure you have cleared cookies first. > > -- > Pete Freitag - Adobe Community Professional http://foundeo.com/ - > ColdFusion Consulting & Products http://petefreitag.com/ - My Blog > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson > wrote: > > > > Hey All, > > > > Can't say that I've bumped into this before. > > > > 1) 2 apps are involved and both use SESSION vars to store user > details > > once they login. > > > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > > > 3) App 1 uses a standard login form where credentials are verified > and > > the SESSION vars are set if successful > > > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > > off the network and use that as part of the authentication process - > > when successful...SESSION vars are set as in app 1 > > > > 5) Both apps have a different name in CFAPPLICATION ;-) > > > > 6) both apps reside on the same server running CF 8 against Oracle > 10G > > > > Here's what happens on WinXP Pre SP 3 with IE 7: > > - > - > > -- > > 1) Open new IE7 window and log in to app1 > > > > 2) Open new IE7 window and log in to app 2 > > > > 3) Go back to the browser with app 1 and try to navigate through app > - > > get kicked to session expired screen > > - > - > > -- > > > > This was tested by another user on XP with IE8 and the issue did not > > occur. > > > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things > > to checkany ideas? > > > > TIA > > > > Cheers > > -- > > > > > > Bryan Stevenson B.Comm. > > VP & Director of E-Commerce Development Electric Edge Systems Group > > Inc. > > phone: 250.480.0642 > > fax: 250.480.1264 > > cell: 250.920.8830 > > e-mail: br...@electricedgesystems.com > > web: www.electricedgesystems.com > > > > Notice: > > This message, including any attachments, is confidential and may > > contain information that is privileged or exempt from disclosure. It > > is intended only for the person to whom it is addressed unless > > expressly authorized otherwise by the sender. If you are not an > > authorized recipient, please notify the sender immediately and > > permanently destroy all copies of this message and attachments. > > Please consider the environment before printing this e-mail > > > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349176 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Several (most? all?) post-CF9 hot fixes apply to CF8 as well. :-) On Thu, Dec 15, 2011 at 3:37 PM, Bryan Stevenson < br...@electricedgesystems.com> wrote: > > Thannks Pete, > > Same domainyes.but you speak of a recent hotfixwell this is > CF 8 ;-) > > Thankfully I have been told to shelve this issue for other major > priorities, but thanks for the tips...I may need to come back to this at > some point. > > Cheers > > On Thu, 2011-12-15 at 14:52 -0500, Pete Freitag wrote: > > > Bryan, > > > > Are these apps running on the same domain or different domains, if > > they are on the same domain then you will need to specify the path in > > your session cookies so they don't invalidate each other (this > > relatively new behavior due to the session fixation security hotfix > > APSB11-04 released in Feb). > > > > Also if you are experiencing a cookie problem on one browser but not > > another make sure you have cleared cookies first. > > > > -- > > Pete Freitag - Adobe Community Professional > > http://foundeo.com/ - ColdFusion Consulting & Products > > http://petefreitag.com/ - My Blog > > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > > > > > > On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson > > wrote: > > > > > > Hey All, > > > > > > Can't say that I've bumped into this before. > > > > > > 1) 2 apps are involved and both use SESSION vars to store user details > > > once they login. > > > > > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > > > > > 3) App 1 uses a standard login form where credentials are verified and > > > the SESSION vars are set if successful > > > > > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > > > off the network and use that as part of the authentication process - > > > when successful...SESSION vars are set as in app 1 > > > > > > 5) Both apps have a different name in CFAPPLICATION ;-) > > > > > > 6) both apps reside on the same server running CF 8 against Oracle 10G > > > > > > Here's what happens on WinXP Pre SP 3 with IE 7: > > > > > > > 1) Open new IE7 window and log in to app1 > > > > > > 2) Open new IE7 window and log in to app 2 > > > > > > 3) Go back to the browser with app 1 and try to navigate through app - > > > get kicked to session expired screen > > > > > > > > > > This was tested by another user on XP with IE8 and the issue did not > > > occur. > > > > > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things > to > > > checkany ideas? > > > > > > TIA > > > > > > Cheers > > > -- > > > > > > > > > Bryan Stevenson B.Comm. > > > VP & Director of E-Commerce Development > > > Electric Edge Systems Group Inc. > > > phone: 250.480.0642 > > > fax: 250.480.1264 > > > cell: 250.920.8830 > > > e-mail: br...@electricedgesystems.com > > > web: www.electricedgesystems.com > > > > > > Notice: > > > This message, including any attachments, is confidential and may > contain > > > information that is privileged or exempt from disclosure. It is > intended > > > only for the person to whom it is addressed unless expressly authorized > > > otherwise by the sender. If you are not an authorized recipient, please > > > notify the sender immediately and permanently destroy all copies of > this > > > message and attachments. > > > Please consider the environment before printing this e-mail > > > > > > > > > > > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349175 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Thannks Pete, Same domainyes.but you speak of a recent hotfixwell this is CF 8 ;-) Thankfully I have been told to shelve this issue for other major priorities, but thanks for the tips...I may need to come back to this at some point. Cheers On Thu, 2011-12-15 at 14:52 -0500, Pete Freitag wrote: > Bryan, > > Are these apps running on the same domain or different domains, if > they are on the same domain then you will need to specify the path in > your session cookies so they don't invalidate each other (this > relatively new behavior due to the session fixation security hotfix > APSB11-04 released in Feb). > > Also if you are experiencing a cookie problem on one browser but not > another make sure you have cleared cookies first. > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://petefreitag.com/ - My Blog > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson > wrote: > > > > Hey All, > > > > Can't say that I've bumped into this before. > > > > 1) 2 apps are involved and both use SESSION vars to store user details > > once they login. > > > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > > > 3) App 1 uses a standard login form where credentials are verified and > > the SESSION vars are set if successful > > > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > > off the network and use that as part of the authentication process - > > when successful...SESSION vars are set as in app 1 > > > > 5) Both apps have a different name in CFAPPLICATION ;-) > > > > 6) both apps reside on the same server running CF 8 against Oracle 10G > > > > Here's what happens on WinXP Pre SP 3 with IE 7: > > > > 1) Open new IE7 window and log in to app1 > > > > 2) Open new IE7 window and log in to app 2 > > > > 3) Go back to the browser with app 1 and try to navigate through app - > > get kicked to session expired screen > > > > > > This was tested by another user on XP with IE8 and the issue did not > > occur. > > > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things to > > checkany ideas? > > > > TIA > > > > Cheers > > -- > > > > > > Bryan Stevenson B.Comm. > > VP & Director of E-Commerce Development > > Electric Edge Systems Group Inc. > > phone: 250.480.0642 > > fax: 250.480.1264 > > cell: 250.920.8830 > > e-mail: br...@electricedgesystems.com > > web: www.electricedgesystems.com > > > > Notice: > > This message, including any attachments, is confidential and may contain > > information that is privileged or exempt from disclosure. It is intended > > only for the person to whom it is addressed unless expressly authorized > > otherwise by the sender. If you are not an authorized recipient, please > > notify the sender immediately and permanently destroy all copies of this > > message and attachments. > > Please consider the environment before printing this e-mail > > > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349174 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Bryan, Are these apps running on the same domain or different domains, if they are on the same domain then you will need to specify the path in your session cookies so they don't invalidate each other (this relatively new behavior due to the session fixation security hotfix APSB11-04 released in Feb). Also if you are experiencing a cookie problem on one browser but not another make sure you have cleared cookies first. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson wrote: > > Hey All, > > Can't say that I've bumped into this before. > > 1) 2 apps are involved and both use SESSION vars to store user details > once they login. > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > 3) App 1 uses a standard login form where credentials are verified and > the SESSION vars are set if successful > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > off the network and use that as part of the authentication process - > when successful...SESSION vars are set as in app 1 > > 5) Both apps have a different name in CFAPPLICATION ;-) > > 6) both apps reside on the same server running CF 8 against Oracle 10G > > Here's what happens on WinXP Pre SP 3 with IE 7: > > 1) Open new IE7 window and log in to app1 > > 2) Open new IE7 window and log in to app 2 > > 3) Go back to the browser with app 1 and try to navigate through app - > get kicked to session expired screen > > > This was tested by another user on XP with IE8 and the issue did not > occur. > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things to > checkany ideas? > > TIA > > Cheers > -- > > > Bryan Stevenson B.Comm. > VP & Director of E-Commerce Development > Electric Edge Systems Group Inc. > phone: 250.480.0642 > fax: 250.480.1264 > cell: 250.920.8830 > e-mail: br...@electricedgesystems.com > web: www.electricedgesystems.com > > Notice: > This message, including any attachments, is confidential and may contain > information that is privileged or exempt from disclosure. It is intended > only for the person to whom it is addressed unless expressly authorized > otherwise by the sender. If you are not an authorized recipient, please > notify the sender immediately and permanently destroy all copies of this > message and attachments. > Please consider the environment before printing this e-mail > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349171 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
