Sessions failing due to multiple CFID / CFTOKEN cookies

We're encountering the following issue with some percentage of IE users (Definitely but not necessarily limited to IE8 8.0.7601.17514 & windows 7).   Basically their SESSION is failing the same way it might if they're cookies were disabled, however, we are able to set cookies manually using CFCOOKIE.  After running several tests, we found that the users request headers include 2 CFID and CFTOKEN cookies.  It seems like Coldfusion writes both into the COOKIE scope, then can't translate them into the SESSION so creates a new (third) CFID and CFTOKEN pair, then overwrites the value of both in the COOKIE scope. CGI.HTTP_COOKIES ------------------------------ CFID=19602005; CFTOKEN=13461642; (other cookies removed); CFID=20907643; CFTOKEN=42056124; (other cookies removed); COOKIES ------------------------------ struct CFID  20907644 CFID  20907644 CFTOKEN  22098534 CFTOKEN  22098534 SESSION ------------------------------ struct cfid  20907644 cftoken  22098534 sessionid  APPNAME_20907644_22098534 urltoken  CFID=20907644&CFTOKEN=22098534 Anybody know what could be going on here? Thanks in advance!

----- Excess quoted text cut - see Original Post for more ----- Do you have more than one CF server within your domain? If so, are you setting domain-wide cookies on either server? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi

We have one server running ColdFusion 8 Enterprise. It has two applications with each application having two load balanced instances. Both applications are called within one website.

> We have one server running ColdFusion 8 Enterprise. It has two applications with each application having two load balanced instances. Both > applications are called within one website. OK, in your application are you using the setDomainCookies attribute in CFAPPLICATION/Application.cfc? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

Should we be using jsessionids instead? Are there any problems in switching to them? Thanks so much.

> Should we be using jsessionids instead? Are there any problems in switching to them? Thanks so much. Generally, I prefer using JSESSIONIDs. But if you have any explicit references to CFID and CFTOKEN in your code, those would have to change appropriately. Also, JSESSIONID is destroyed when the user closes the browser - CFID and CFTOKEN are not, by default. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

I believe setting the useUUID setting in the cfadmin can help with such issues, if I recall correctly this also avoids the use of CFID and CFTOKEN, and uses an alternate variable instead, CFMAGIC or somehting? its been a while since I looked at this as I use UUID as default for years now so I might be completely wrong and i'm sure Dave will correct me if I am. I wasn't aware that JessionID is browser session based, which is interesting to know, but you can get around that by generating the cookie yourself and giving it an expiry date. ----- Excess quoted text cut - see Original Post for more -----

> I believe setting the useUUID setting in the cfadmin can help with > such issues, if I recall correctly this also avoids the use of CFID > and CFTOKEN, and uses an alternate variable instead, CFMAGIC or > somehting? its been a while since I looked at this as I use UUID as > default for years now so I might be completely wrong and i'm sure Dave > will correct me if I am. I think this just uses a UUID for CFTOKEN, actually. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

So whats this cfmagic var I'm remembering ? Regards Russ Michaels From my mobile On 12 Sep 2011 18:42, "Dave Watts" <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Are you maybe thinking about the setting that says use J2EE sessions and changes the CFID and CFTOKEN combo to a jsessionid token? Judah ----- Excess quoted text cut - see Original Post for more -----

Perhaps try asking David Blaine? ----- Excess quoted text cut - see Original Post for more -----

ah I remember now. CFMAGIC is only set if you have setDomainCookies set to true in your CFAPPLICATION tag.  It's there to allow you to have multiple domains read the same cookies to tie together a session across them ----- Excess quoted text cut - see Original Post for more -----

Richard, did you ever get this resolved? We've begun experiencing the very same issue on our end (IE 8 on Win7). We're using one domain-level cookie on our site, but ColdFusion cookies are set specific to the sub-domain. We also only have one Web site on the server using CF. Clearing cookies works for some users, while others run into the issue again after some amount of time, after clearing their cookies. James > We're encountering the following issue with some percentage of IE > users (Definitely but not necessarily limited to IE8 8.0.7601.17514 & > windows 7).  Basically their SESSION is failing the same way it might > if they're cookies were disabled, however, we are able to set cookies > manually using CFCOOKIE.  After running several tests, we found that > the users request headers include 2 CFID and CFTOKEN cookies. [...]

Richard or James, Was the cause of this issue ever determined for either of you? We're having the same issue with a small percentage of users.  We're detecting the double CFID entry in cgi.http_cookie and running a javascript to clear all our domain's cookies when we find the double CFID. We also set a tracking cookie so we don't try to clear that user's cookies again in case the double CFID doesn't go away. I believe that CF is setting a CFID and CFTOKEN for both www.domain.com and .domain.com and maybe that's why it's getting confused. However this is just dealing with the issue, not correcting it. Any info from your end would be appreciated. Thanks

----- Excess quoted text cut - see Original Post for more -----