ColdFusion Dropping, Losing, or Resetting Session Variables and CFID/CFTOKEN

Actually, this is not ColdFusion’s fault; it is a browser issue. Here’s what happens:

A user logins into your application, navigates through it, and then, inexplicably, gets booted out or not recognized. Sometimes it is just one page that seems to be the problem, sometimes several. Sometimes it is one browser, say IE, and not another, say FF.

What is crazy about this is that the application has, for all intents and purposes, worked correctly up to this point. The problem seemed to occur out of the blue. (Personally, I think it happened at the same time said user switched to IE7, but that is just my opinion.) And, what is also wonderful about this is that oftentimes you cannot recreate it. The user just screams and screams while you pull your hair out.

If and when you can recreate it, when you output the CFID and CFTOKEN tags you notice that they are different for the same user. They should not be. They never left the application.

For me the solution was simple. My application was using ‘www’ in the domain name on some pages and not on others as in www.mysite.com vs. mysite.com. The browser interpreted this as two different sites and made no association with the CFID/CFTOKEN cookies set by the application.cfm. So, ColdFusion reset them and bye-bye went my session variables.

Now, if this happens between http and https sites I do not know since this was not using a certificate. So, for that, you will have to figure it out.

This really frustrated me and I hope it helps someone else.

Posted in ColdFusion, Web development. Tags: , . Permalink. Both comments and trackbacks are closed.

62 Comments

  1. Mark
    March 17, 2011 at 3:12 pm | Permalink

    I am having the same issue with a different setup. J2EE is setup, the Application.cfc has all the required fields (this.applicationTimeout,sessionManagement,sessionTimeout,clientManagement,SetDomainCookies – all true). I have a login form and it works for initial login – everything set correctly. If a user clicks a link to take them to a different page on the same server in the same domain, it loses the session. I added jsessionid to the url string and it worked. Now, if the user clicks a submit button on a html form and the action page is the same page that they got to (with the session) it loses the session. I have tried adding jsessionid to the action page url but it still fails.

    This is on the internet not intra and I have a client waiting, so I am starting to get real nervous. Server is Windows 2003 running CF 9.0.1.

  2. Beale
    March 1, 2011 at 12:50 pm | Permalink

    My solution – as others have suggested – to allow multiple session windows from the same server –

    <cfapplication ….
    sessionmanagement="yes" clientmanagement="no" setclientcookies="no" sessiontimeout="120"

    And for all your url references, use this:
    <cfset urlstring = #urlsessionformat(url)# >