Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
Sessions failing due to multiple CFID / CFTOKEN cookies
Author: Paul Alkema
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#351997
----- Excess quoted text cut - see Original Post for more -----
Author: Clark Baker
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#350051
Richard or James,
Was the cause of this issue ever determined for either of you? We're having the
same issue with a small percentage of users. We're detecting the double CFID
entry in cgi.http_cookie and running a javascript to clear all our domain's
cookies when we find the double CFID. We also set a tracking cookie so we don't
try to clear that user's cookies again in case the double CFID doesn't go away.
I believe that CF is setting a CFID and CFTOKEN for both www.domain.com and
.domain.com and maybe that's why it's getting confused.
However this is just dealing with the issue, not correcting it.
Any info from your end would be appreciated. Thanks
Author: Russ Michaels
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347422
ah I remember now.
CFMAGIC is only set if you have setDomainCookies set to true in your
CFAPPLICATION tag. It's there to allow you to have multiple domains
read the same cookies to tie together a session across them
----- Excess quoted text cut - see Original Post for more -----
Author: Michael Grant
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347421
Perhaps try asking David Blaine?
----- Excess quoted text cut - see Original Post for more -----
Author: Judah McAuley
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347420
Are you maybe thinking about the setting that says use J2EE sessions
and changes the CFID and CFTOKEN combo to a jsessionid token?
Judah
----- Excess quoted text cut - see Original Post for more -----
Author: Russ Michaels
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347419
So whats this cfmagic var I'm remembering ?
Regards
Russ Michaels
From my mobile
On 12 Sep 2011 18:42, "Dave Watts" <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347415
> I believe setting the useUUID setting in the cfadmin can help with
> such issues, if I recall correctly this also avoids the use of CFID
> and CFTOKEN, and uses an alternate variable instead, CFMAGIC or
> somehting? its been a while since I looked at this as I use UUID as
> default for years now so I might be completely wrong and i'm sure Dave
> will correct me if I am.
I think this just uses a UUID for CFTOKEN, actually.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.
Author: Russ Michaels
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347413
I believe setting the useUUID setting in the cfadmin can help with
such issues, if I recall correctly this also avoids the use of CFID
and CFTOKEN, and uses an alternate variable instead, CFMAGIC or
somehting? its been a while since I looked at this as I use UUID as
default for years now so I might be completely wrong and i'm sure Dave
will correct me if I am.
I wasn't aware that JessionID is browser session based, which is
interesting to know, but you can get around that by generating the
cookie yourself and giving it an expiry date.
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347412
> Should we be using jsessionids instead? Are there any problems in switching
to them? Thanks so much.
Generally, I prefer using JSESSIONIDs. But if you have any explicit
references to CFID and CFTOKEN in your code, those would have to
change appropriately. Also, JSESSIONID is destroyed when the user
closes the browser - CFID and CFTOKEN are not, by default.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or
onsite.
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347411
> We have one server running ColdFusion 8 Enterprise. It has two applications
with each application having two load balanced instances. Both
> applications are called within one website.
OK, in your application are you using the setDomainCookies attribute
in CFAPPLICATION/Application.cfc?
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or
onsite.
Author: James Skemp
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#347410
Richard, did you ever get this resolved?
We've begun experiencing the very same issue on our end (IE 8 on Win7).
We're using one domain-level cookie on our site, but ColdFusion cookies are set
specific to the sub-domain. We also only have one Web site on the server using
CF.
Clearing cookies works for some users, while others run into the issue again
after some amount of time, after clearing their cookies.
James
> We're encountering the following issue with some percentage of IE
> users (Definitely but not necessarily limited to IE8 8.0.7601.17514 &
> windows 7). Basically their SESSION is failing the same way it might
> if they're cookies were disabled, however, we are able to set cookies
> manually using CFCOOKIE. After running several tests, we found that
> the users request headers include 2 CFID and CFTOKEN cookies. [...]
Author: Richard Steele
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#346700
Should we be using jsessionids instead? Are there any problems in switching to
them? Thanks so much.
Author: Richard Steele
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#346690
We have one server running ColdFusion 8 Enterprise. It has two applications with
each application having two load balanced instances. Both applications are called
within one website.
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#346680
----- Excess quoted text cut - see Original Post for more -----
Do you have more than one CF server within your domain? If so, are you
setting domain-wide cookies on either server?
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsi
Author: Richard Steele
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63223#346659
We're encountering the following issue with some percentage of IE users
(Definitely but not necessarily limited to IE8 8.0.7601.17514 & windows 7).
Basically their SESSION is failing the same way it might if they're cookies were
disabled, however, we are able to set cookies manually using CFCOOKIE. After
running several tests, we found that the users request headers include 2 CFID and
CFTOKEN cookies. It seems like Coldfusion writes both into the COOKIE scope,
then can't translate them into the SESSION so creates a new (third) CFID and
CFTOKEN pair, then overwrites the value of both in the COOKIE scope.
CGI.HTTP_COOKIES
------------------------------
CFID=19602005; CFTOKEN=13461642; (other cookies removed); CFID=20907643;
CFTOKEN=42056124; (other cookies removed);
COOKIES
------------------------------
struct
CFID 20907644
CFID 20907644
CFTOKEN 22098534
CFTOKEN 22098534
SESSION
------------------------------
struct
cfid 20907644
cftoken 22098534
sessionid APPNAME_20907644_22098534
urltoken CFID=20907644&CFTOKEN=22098534
Anybody know what could be going on here? Thanks in advance!
|
June 19, 2013
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
