Re: CF session management suddenly not sticking ...
I recently found the reason we were seeing two sets of cfid and cftoken cookies. We had code similar to this running: cfif myvars.KillSessionOnClose and IsDefined(cookie.CFID) cfset variables.LocalCFID=cookie.CFID cfset variables.LocalCFToken=cookie.CFToken cfcookie name=CFID value=#variables.LocalCFID# cfcookie name=CFToken value=#variables.LocalCFToken# /cfif Should be a familiar bit of code to everyone - it converts the browser cookies to session cookies so closing the browser kills the session. Once I flipped the setting to shut this off I stopped seeing the second set of cfid/cftokens (If I had named the domain in the cfcookie statement this may also have served the same purpose). However, overall the 'rotating' sessions no longer seem to be occurring based on user reports etc. so this was causing no problems currently, and it certainly never caused problems for many years before the rollover described earlier in this thread. On Wed, Mar 19, 2014 at 1:58 PM, Nick Gleason n.glea...@citysoft.comwrote: We finally resolved this issue. First, a big thanks as always to everyone who commented and helped us along on this thread. Second, here is the resolution. In our case, the problem was some enhanced security filters that we put place recently. One of the scopes being scanned was the cookie scope. This was working for the most part but would result in these sporadic failures which were hard to pinpoint. The key clue was that we realized that the cookie.jsessionid was remaining persistent but the session.sessionid variable was not sticking - those two should be the same. Once we started focusing more on the cookies, we eventually realized what the problem was. This issue may not be applicable to others, but if your sessions are resetting with every request, you may want to take a closer look at your cookies and how they are tied to your sessionid. I still don't truly understand how a sessionid could change without a change to the underlying cookie, but that appears to be what happened. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358136 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
We finally resolved this issue. First, a big thanks as always to everyone who commented and helped us along on this thread. Second, here is the resolution. In our case, the problem was some enhanced security filters that we put place recently. One of the scopes being scanned was the cookie scope. This was working for the most part but would result in these sporadic failures which were hard to pinpoint. The key clue was that we realized that the cookie.jsessionid was remaining persistent but the session.sessionid variable was not sticking - those two should be the same. Once we started focusing more on the cookies, we eventually realized what the problem was. This issue may not be applicable to others, but if your sessions are resetting with every request, you may want to take a closer look at your cookies and how they are tied to your sessionid. I still don't truly understand how a sessionid could change without a change to the underlying cookie, but that appears to be what happened. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358053 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
On Tue, Mar 11, 2014 at 11:52 AM, Dave Watts wrote: No, I think you should only have the one cookie for jsessionid. I'm not sure why you have the other two. As you can imagine I did some reading on jsession vars after I opened up this thread. Look at the comparison table here: http://goo.gl/Hsxvaa also referenced in the table here http://goo.gl/GFJfx3 If you use one of the urltokens you are going to still see CFID and CFToken. Sounds like Nick is describing my exact problem, inconsistencies and all. I frankly wound up throwing everything against the wall I could think of. Rolling the site back was not an option given SEO issues that had already gone into motion. I'm about to call the site functional based on a few days of solidity, at which point I'll begin removing a piece at a time to try and see when the behavior reverts again (which is maddeningly difficult given the inconsistent client behavior). Steps taken: - Adjusted the JVM to remove session fixation protection - Switched on J2EE sessions - For the area where session must be maintained, client.urltoken passed via the url (!) - setdomaincookies=yes in cfapplication statement - cookies wiped per code similar to the 3rd post in this thread, in OnRequestEnd.cfm. I'm going after (expires=now) domain cookies expressly in that code. I am naturally not happy with the use of client.urltoken in the url but those pages are behind a form post. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357971 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Hi there, Thanks for your follow up post. It definitely seems that we have something similar going on. We have switched some features to be less dependent on sessions and more on other scopes. That has worked ok but longer term we want sessions to work consistently. It's been very difficult because it happens very sporadically. I did see a post on an adobe forum about a similar sounding issue (jsession sessionid restarting on each request) that suggested that IIS might be doing a per request re-direct of some kind. If I am recalling this correctly, the thread suggested clearing out old IIS ColdFusion Connectors as a solution. That was a pretty sparse description, so I can't say what the next step would be. If you, or anyone on this thread, can suggest how best to find an identify the IIS connectors, that would be great. We are using IIS 7.5. Rolling back the session fixation fix did not make a difference for us. That makes sense in that this fix has been out for a year or so and these problems just started a few weeks ago. We have been updating our security filters for XSS and other attacks and I am wondering if this could interfere with browser sessions in some way. But, that's a wild guess at this point until we do some more testing. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357981 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Hi All, I was just about to post on a very similar problem when I saw this thread. We've just had this come up in the last couple of weeks and it happens sporadically. A few quick points:- the problem is that sessions restart with each request- the problem happens sporadically- the problem is solved temporarily by clearing browser cache - but it seems to come back- we use j2ee sessions / jsessionid- when it's happening, the jsessionid changes with every request (causing the sessionid to change)- the cfid and cftoken have been persistent - the problem seems to be with the jsessionid changing- we also dumped cookies and - here is the weird part - jsessionid in cookies persists. it does not change per request the way that it does. we use 9.0.1 and it is fully patched. We also use IIS 7.5. The biggest incongruity is that when the problem is happening, the jsessionid persists in cookies (and cookie scope) but not in the session scope. We thought that there was a tighter connection. We have not tried to adjust the session fixation settings. That may be our next move. We have also started to use trusted cache more extensively recently, but my sense is that is not involved here. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357914 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I was just about to post on a very similar problem when I saw this thread. We've just had this come up in the last couple of weeks and it happens sporadically. A few quick points:- the problem is that sessions restart with each request- the problem happens sporadically- the problem is solved temporarily by clearing browser cache - but it seems to come back- we use j2ee sessions / jsessionid- when it's happening, the jsessionid changes with every request (causing the sessionid to change)- the cfid and cftoken have been persistent - the problem seems to be with the jsessionid changing- we also dumped cookies and - here is the weird part - jsessionid in cookies persists. it does not change per request the way that it does. we use 9.0.1 and it is fully patched. We also use IIS 7.5. The biggest incongruity is that when the problem is happening, the jsessionid persists in cookies (and cookie scope) but not in the session scope. We thought that there was a tighter connection. We have not tried to adjust the session fixation settings. That may be our next move. I'm confused. If you're using J2EE sessions, you shouldn't have cookies for CFID and CFTOKEN. We have also started to use trusted cache more extensively recently, but my sense is that is not involved here. Your sense is correct - all this does is prevent CF from checking to see if files need to be recompiled. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357915 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Hi Dave, I may be getting a bit over my head here, but here is an example of what our session dump looks like:sessionid: 84303380daf164aedda3456e2d1856513d2e urltoken: CFID=83197727CFTOKEN=9af68af80f73df3-F872B04C-CA42-C7AB-D8FB410E558AEEE5js essionid=84303380daf164aedda3456e2d1856513d2e Then, in cookies, we have separate values for, cfid, cftoken, and jsessionid. Does that make sense? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357916 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I may be getting a bit over my head here, but here is an example of what our session dump looks like:sessionid: 84303380daf164aedda3456e2d1856513d2e urltoken: CFID=83197727CFTOKEN=9af68af80f73df3-F872B04C-CA42-C7AB-D8FB410E558AEEE5js essionid=84303380daf164aedda3456e2d1856513d2e Then, in cookies, we have separate values for, cfid, cftoken, and jsessionid. Does that make sense? No, I think you should only have the one cookie for jsessionid. I'm not sure why you have the other two. Either way, your server should only be using one or the other, but if you have multiple CF servers in the same domain, it's possible that one is using J2EE sessions while the other isn't. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357917 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I recently tried switching to j2ee sessions and noticed the same thing, that cfid and cftoken were still being created as well. So it isn't a unique case. On Tue, Mar 11, 2014 at 6:52 PM, Dave Watts dwa...@figleaf.com wrote: I may be getting a bit over my head here, but here is an example of what our session dump looks like:sessionid: 84303380daf164aedda3456e2d1856513d2e urltoken: CFID=83197727CFTOKEN=9af68af80f73df3-F872B04C-CA42-C7AB-D8FB410E558AEEE5js essionid=84303380daf164aedda3456e2d1856513d2e Then, in cookies, we have separate values for, cfid, cftoken, and jsessionid. Does that make sense? No, I think you should only have the one cookie for jsessionid. I'm not sure why you have the other two. Either way, your server should only be using one or the other, but if you have multiple CF servers in the same domain, it's possible that one is using J2EE sessions while the other isn't. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357919 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Thanks Dave, I'm not really the developer here but I think that we may have client variables enabled and my recollection was that client variables may require cfid and cftoken. It's been running pretty smoothly for a while until this very recent issue. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357918 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I'm not really the developer here but I think that we may have client variables enabled and my recollection was that client variables may require cfid and cftoken. It's been running pretty smoothly for a while until this very recent issue. Yes, client variables do require CFID and CFTOKEN. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357920 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Thanks Russ, With client variables (we're phasing them out) in place as well as the more secure j2ee session variables, we seem to have all in use at the moment. But, I think that has been a pretty stable configuration for us for some time. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357921 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
One really interesting behavior here, which may point us in the direction of a better solution, is that when this problem with session.jsessionid happens (it resets ever page request), cookie.jsessionid remains persistent. I don't know enough about the linkage there to know if that is expected behavior in any scenario. I'll be researching this detail but if anyone else has expertise on the linkage between session.jsessionid and cookie.jsessionid, we're definitely interested. Thanks for this very helpful thread. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357922 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
check that you do not have any cflocation tags which are using addtoken=yes (the default), this seems to be a fairly common cause of superfluous cfid and cftokens cookies being created as as per other thread, try completely removing the cookies or use incognito mode to see if it persists, and try explicitly setting a domain cookie. On Tue, Mar 11, 2014 at 8:47 PM, Nick Gleason n.glea...@citysoft.comwrote: One really interesting behavior here, which may point us in the direction of a better solution, is that when this problem with session.jsessionid happens (it resets ever page request), cookie.jsessionid remains persistent. I don't know enough about the linkage there to know if that is expected behavior in any scenario. I'll be researching this detail but if anyone else has expertise on the linkage between session.jsessionid and cookie.jsessionid, we're definitely interested. Thanks for this very helpful thread. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357923 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I think it was pretty clear that code he listed was being used solely to diagnose a problem he was experiencing **on a production server** and from **multiple client computers**, and that wasn't necessarily reproducible on a development server. And I don't think the code was meant for permanent use. So I think your assumptions and gruffness and were a bit off the mark. -Carl V. On 3/6/2014 7:35 PM, Andrew Scott wrote: If you are going to be dumping things out in production, for the world to see, I would stop that habit. The last thing you want to do is annoy your clients / visitors with this stuff. People are not forgiving when they see these things on the screen, personally if you have to do this, for god sake lock this output down to your development IP address. Really Why do people insist on making changes directly on a production server... Seriously bad practice. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357876 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. The problem, I think, is related to changes in session management in recent releases of CF to prevent session fixation vulnerabilities, etc. You might have CFID/CFTOKEN cookies that have different domain attributes, and CF is looking at the wrong ones, if I recall correctly. Here's a workflow description from a guy who's smarter than me: - go to a site that uses restricted cookies: - a cookie gets created (e.g. only valid for the path /admin); - visit a page on the same domain, but outside the restriction: - browser doesn't send cookie; - a new cookie gets created (valid for /); - go back to the restricted area: - browser sends both cookies. The best solution, in my opinion, is to switch to J2EE sessions, assuming you can invest the time and effort to do that. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357877 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
+1 for J2EE sessions. -Carl V. On 3/7/2014 9:20 AM, Dave Watts wrote: The best solution, in my opinion, is to switch to J2EE sessions, assuming you can invest the time and effort to do that. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357878 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
On Thu, Mar 6, 2014 at 5:22 PM, Russ Michaels r...@michaels.me.uk wrote: see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. in your cflocation tags you need to use addtoken=no otherwise this can cause problems Yeah, What Russ said. Had the exact same thing happen to me. You would login fine and as soon as you clicked a link or submitted a form it would boot you out. One tip, on IE 10 or 11 (I forget). You will need to delete the cookies manually and not using the delete button in the Browser History dialog. At least I had to. Deleting cookies using the Browser history dialog did not fix the problem in my case. Tools Internet Options General Settings (under Browser history) View files and delete them there. I just deleted everything in that folder. HTH G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357880 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
The best solution, in my opinion, is to switch to J2EE sessions, assuming you can invest the time and effort to do that. I'm having almost the exact same problem. My login system, had been working perfectly (CF8) until we moved everything to a new server with CF10 on it. Now, Chrome will log you out as fast as you can log in. The only exception is if I set - addtoken=yes to the URLs. The second it hits a URL without the token, you're out. Not good. cfapplication name=SiteADMIN clientmanagement=yes sessionmanagement=yes setdomaincookies=yes sessiontimeout=#CreateTimeSpan(0,8,00,0)# applicationtimeout=#CreateTimeSpan(0,8,00,0)# clientstorage=cookie !--- Define that this user is logged out by default --- CFPARAM NAME=session.isADMIN DEFAULT=false !--- Define this user id to zero by default --- CFPARAM NAME=session.thisUSER DEFAULT=0 So considering the above - what, in theory, would be the exact consequences in switching to J2EE sessions? I don't this there would be that much code that would need to be changed. I'm simply checking that session.isADMIN is true in my application file. I admittedly don't have a super-technical understanding of exactly how things have changed between CF8 and CF10. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357881 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
try this http://www.petefreitag.com/item/815.cfm On Fri, Mar 7, 2014 at 6:34 PM, Gerald Guido gerald.gu...@gmail.com wrote: On Thu, Mar 6, 2014 at 5:22 PM, Russ Michaels r...@michaels.me.uk wrote: see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. in your cflocation tags you need to use addtoken=no otherwise this can cause problems Yeah, What Russ said. Had the exact same thing happen to me. You would login fine and as soon as you clicked a link or submitted a form it would boot you out. One tip, on IE 10 or 11 (I forget). You will need to delete the cookies manually and not using the delete button in the Browser History dialog. At least I had to. Deleting cookies using the Browser history dialog did not fix the problem in my case. Tools Internet Options General Settings (under Browser history) View files and delete them there. I just deleted everything in that folder. HTH G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357882 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CF session management suddenly not sticking ...
Any chance you are using Chrome in Incognito mode? Maybe it's just dropping the cookies as fast as you assign them. Or maybe you have an add on that is killing cookies. Steve -Original Message- From: Les Mizzell [mailto:lesm...@bellsouth.net] Sent: Friday, March 07, 2014 1:46 PM To: cf-talk Subject: Re: CF session management suddenly not sticking ... The best solution, in my opinion, is to switch to J2EE sessions, assuming you can invest the time and effort to do that. I'm having almost the exact same problem. My login system, had been working perfectly (CF8) until we moved everything to a new server with CF10 on it. Now, Chrome will log you out as fast as you can log in. The only exception is if I set - addtoken=yes to the URLs. The second it hits a URL without the token, you're out. Not good. cfapplication name=SiteADMIN clientmanagement=yes sessionmanagement=yes setdomaincookies=yes sessiontimeout=#CreateTimeSpan(0,8,00,0)# applicationtimeout=#CreateTimeSpan(0,8,00,0)# clientstorage=cookie !--- Define that this user is logged out by default --- CFPARAM NAME=session.isADMIN DEFAULT=false !--- Define this user id to zero by default --- CFPARAM NAME=session.thisUSER DEFAULT=0 So considering the above - what, in theory, would be the exact consequences in switching to J2EE sessions? I don't this there would be that much code that would need to be changed. I'm simply checking that session.isADMIN is true in my application file. I admittedly don't have a super-technical understanding of exactly how things have changed between CF8 and CF10. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357883 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
IIRC, unless you explicitly access CFID/CFTOKEN in your code, there shouldn't be any issues. -Carl V. On 3/7/2014 10:45 AM, Les Mizzell wrote: So considering the above - what, in theory, would be the exact consequences in switching to J2EE sessions? I don't this there would be that much code that would need to be changed. I'm simply checking that session.isADMIN is true in my application file. I admittedly don't have a super-technical understanding of exactly how things have changed between CF8 and CF10. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357884 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
So considering the above - what, in theory, would be the exact consequences in switching to J2EE sessions? I don't this there would be that much code that would need to be changed. I'm simply checking that session.isADMIN is true in my application file. I admittedly don't have a super-technical understanding of exactly how things have changed between CF8 and CF10. If you're not directly referencing CFID and CFTOKEN in your code, and you're not relying on the default persistence of CF session cookies, you should be able to just enable that option. By the default persistence of CF session cookies, I mean that CF's session cookies by default don't get deleted when the browser is closed. J2EE session cookies do. So, if a user logs into your app, closes the browser, then opens it back up, the user will have to log in again if you're using J2EE sessions even if the session would not have expired otherwise. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357885 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I forgot about the persistence issue. Personally, I consider the lack of session persistence to be a security benefit. But not everyone will agree. -Carl V. On 3/7/2014 11:17 AM, Dave Watts wrote: If you're not directly referencing CFID and CFTOKEN in your code, and you're not relying on the default persistence of CF session cookies, you should be able to just enable that option. By the default persistence of CF session cookies, I mean that CF's session cookies by default don't get deleted when the browser is closed. J2EE session cookies do. So, if a user logs into your app, closes the browser, then opens it back up, the user will have to log in again if you're using J2EE sessions even if the session would not have expired otherwise. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357886 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I think it was pretty clear that code he listed was being used solely to diagnose a problem Precisely. Its the production environment but not the production site. I'm testing with some old in-office desktops that mimic the problem reported to us by users when this site was live for roughly 24 hrs before I pulled it. The best solution, in my opinion, is to switch to J2EE sessions, assuming you can invest the time and effort to do that. Seeing as my efforts on this seem to be going nowhere (old browsers will occasionally start working but always revert after a TBD period of inactivity) that sounds like good advice. Working on that now. And its all happening on a CF-based site that has been humming along in its present form since 2006... all we did was make it prettier... re-skinned it with a different front end. And it still works fine for the majority of visitors. Any chance you are using Chrome in Incognito mode? Nope. The only place I can replicate the issue is on IE8 running on XP. Or maybe you have an add on that is killing cookies. That was my very first thought and I went straight to the design team who swore that we weren't doing anything genuinely different. Nonetheless we pulled a bunch of stuff out with no success. To finally clear that I wrote up the bare bones page (previous post) and it too is evidencing the problem. I'm in full control of the server and there's nothing server-side changed at the server level. BTW it is CF9 with all patches. On Fri, Mar 7, 2014 at 11:44 AM, Carl Von Stetten vonner.li...@vonner.netwrote: I forgot about the persistence issue. Personally, I consider the lack of session persistence to be a security benefit. But not everyone will agree. -Carl V. On 3/7/2014 11:17 AM, Dave Watts wrote: If you're not directly referencing CFID and CFTOKEN in your code, and you're not relying on the default persistence of CF session cookies, you should be able to just enable that option. By the default persistence of CF session cookies, I mean that CF's session cookies by default don't get deleted when the browser is closed. J2EE session cookies do. So, if a user logs into your app, closes the browser, then opens it back up, the user will have to log in again if you're using J2EE sessions even if the session would not have expired otherwise. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357887 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I think by add on he might have been referring to a browser add-on or plugin that the users have installed into Internet Explorer. -Carl V. Or maybe you have an add on that is killing cookies. That was my very first thought and I went straight to the design team who swore that we weren't doing anything genuinely different. Nonetheless we pulled a bunch of stuff out with no success. To finally clear that I wrote up the bare bones page (previous post) and it too is evidencing the problem. I'm in full control of the server and there's nothing server-side changed at the server level. BTW it is CF9 with all patches. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357888 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I was thinking html code but yes thats a possibility as well. However a) my test units are plain vanilla XP/IE8 wkstns and b) the CF code in question has been running fine for years on these same desktops. We use the web site in-house on a daily basis. Worth noting: The demo code you were seeing was on a 'new.' subdomain. But the problem evidenced itself on the 'www.'... We just moved it offline to the 'new.' subdomain when the problem and its severity was identified. On Fri, Mar 7, 2014 at 12:43 PM, Carl Von Stetten vonner.li...@vonner.netwrote: I think by add on he might have been referring to a browser add-on or plugin that the users have installed into Internet Explorer. -Carl V. Or maybe you have an add on that is killing cookies. That was my very first thought and I went straight to the design team who swore that we weren't doing anything genuinely different. Nonetheless we pulled a bunch of stuff out with no success. To finally clear that I wrote up the bare bones page (previous post) and it too is evidencing the problem. I'm in full control of the server and there's nothing server-side changed at the server level. BTW it is CF9 with all patches. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357890 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Are you sure no cfpatches have been installed, specifically the one in the link I sent earlier. Often people are adamant when they say no only to find someone else did it. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 7 Mar 2014 21:03, Money Pit websitema...@gmail.com wrote: I was thinking html code but yes thats a possibility as well. However a) my test units are plain vanilla XP/IE8 wkstns and b) the CF code in question has been running fine for years on these same desktops. We use the web site in-house on a daily basis. Worth noting: The demo code you were seeing was on a 'new.' subdomain. But the problem evidenced itself on the 'www.'... We just moved it offline to the 'new.' subdomain when the problem and its severity was identified. On Fri, Mar 7, 2014 at 12:43 PM, Carl Von Stetten vonner.li...@vonner.netwrote: I think by add on he might have been referring to a browser add-on or plugin that the users have installed into Internet Explorer. -Carl V. Or maybe you have an add on that is killing cookies. That was my very first thought and I went straight to the design team who swore that we weren't doing anything genuinely different. Nonetheless we pulled a bunch of stuff out with no success. To finally clear that I wrote up the bare bones page (previous post) and it too is evidencing the problem. I'm in full control of the server and there's nothing server-side changed at the server level. BTW it is CF9 with all patches. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357891 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Are you sure no cfpatches have been installed, specifically the one in the link I sent earlier. Well earlier I said ...it is CF9 with all patches. But I should have said it is *9.01* with all patches. So yes APSB11-04 was definitely one of them. I subscribe to Foundeo's monthly (?) security probe and double checked. --M@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357892 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Speaking of that linked article, I disabled the session fixation patch via Pete's instructions (-Dcoldfusion.session.protectfixation=false in the JVM) and so far I've got proper functionality. I've had inconsistent results before this so I'm not declaring temporary victory just yet but this is promising. Even if this is the solution I need to move to J2EE sessions methinks. --M@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357893 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357869 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357870 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
so if you check the cookies after running your code, is there only one cfid and cftoken, or is there still 2 On Fri, Mar 7, 2014 at 12:17 AM, Money Pit websitema...@gmail.com wrote: Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357871 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Nope I was down to one pair, and it was the pair just generated via the cflocation. The code was doing its job. Another repeatable mystery: If I turn down IE8's security from the default of Medium-High to Medium it will always fix the problem. Same as with Private Browsing. On Thu, Mar 6, 2014 at 4:19 PM, Russ Michaels r...@michaels.me.uk wrote: so if you check the cookies after running your code, is there only one cfid and cftoken, or is there still 2 On Fri, Mar 7, 2014 at 12:17 AM, Money Pit websitema...@gmail.com wrote: Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357872 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
in your cflocation tags you need to use addtoken=no otherwise this can cause problems the IE security setting may be down to the cookie acceptance policy, I don't know why that would make a difference, but worth comparing the 2 settings to see how it differs. On Fri, Mar 7, 2014 at 12:50 AM, Money Pit websitema...@gmail.com wrote: Nope I was down to one pair, and it was the pair just generated via the cflocation. The code was doing its job. Another repeatable mystery: If I turn down IE8's security from the default of Medium-High to Medium it will always fix the problem. Same as with Private Browsing. On Thu, Mar 6, 2014 at 4:19 PM, Russ Michaels r...@michaels.me.uk wrote: so if you check the cookies after running your code, is there only one cfid and cftoken, or is there still 2 On Fri, Mar 7, 2014 at 12:17 AM, Money Pit websitema...@gmail.com wrote: Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357873 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Yup I'm doing that. Put together a test page so as to take all of my code out of the picture... although that back end has been fine for years... The redesign was just a re-skin. But to be thorough I made this: cfapplication name=test_0915 sessionmanagement=Yes clientmanagement=Yes sessiontimeout=#CreateTimeSpan(0,0,5,0)# applicationtimeout=#CreateTimeSpan(0,2,0,0)# setclientcookies=Yes setdomaincookies=No cfif isdefined(url.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop /cfif htmlheadtitlenew.lelandwest.com/test/hello.cfm /title/headbody cfoutput p#now()#/p a href=#cgi.script_name#?creset=1Clear cookie scope reload page/a p client:br#client.CFID# #client.cftoken#br cflock scope=SESSION type=readonly timeout=10 session:br#session.CFID# #session.cftoken#br /cflock cookie:br#cookie.CFID# #cookie.cftoken# /cfoutput /p cfdump var=#cookie# /body/html From the above I have learned that no matter what cfdump gives me two cfid's and two cftokens. but only for the old workstations running XP/IE8. Don't have good diagnostics installed yet to see complete cookie data. After some tinkering (i.e. getting desperate) I put in the setclientcookies and setdomaincookies entries and things now seem to be working across all test machines (4 of them). But I have had this turn around on me before so I'll revisit tomorrow when I get back in. :-| Thanks for your help! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357874 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
If you are going to be dumping things out in production, for the world to see, I would stop that habit. The last thing you want to do is annoy your clients / visitors with this stuff. People are not forgiving when they see these things on the screen, personally if you have to do this, for god sake lock this output down to your development IP address. Really Why do people insist on making changes directly on a production server... Seriously bad practice. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 7, 2014 at 12:56 PM, Money Pit websitema...@gmail.com wrote: Yup I'm doing that. Put together a test page so as to take all of my code out of the picture... although that back end has been fine for years... The redesign was just a re-skin. But to be thorough I made this: cfapplication name=test_0915 sessionmanagement=Yes clientmanagement=Yes sessiontimeout=#CreateTimeSpan(0,0,5,0)# applicationtimeout=#CreateTimeSpan(0,2,0,0)# setclientcookies=Yes setdomaincookies=No cfif isdefined(url.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop /cfif htmlheadtitlenew.lelandwest.com/test/hello.cfm /title/headbody cfoutput p#now()#/p a href=#cgi.script_name#?creset=1Clear cookie scope reload page/a p client:br#client.CFID# #client.cftoken#br cflock scope=SESSION type=readonly timeout=10 session:br#session.CFID# #session.cftoken#br /cflock cookie:br#cookie.CFID# #cookie.cftoken# /cfoutput /p cfdump var=#cookie# /body/html From the above I have learned that no matter what cfdump gives me two cfid's and two cftokens. but only for the old workstations running XP/IE8. Don't have good diagnostics installed yet to see complete cookie data. After some tinkering (i.e. getting desperate) I put in the setclientcookies and setdomaincookies entries and things now seem to be working across all test machines (4 of them). But I have had this turn around on me before so I'll revisit tomorrow when I get back in. :-| Thanks for your help! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357875 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm