coldfusionJedi

This entry was posted on Friday, January 2, 2009 at 8:31 AM. It was filed in the following categories: ColdFusion. It has been viewed 3,092 times and has 17 comments.

TweetBacks

Comments

[Add Comment] [Subscribe to Comments]

• Comment 1 written by Raymond Camden on 2 January 2009, at 9:05 AM

  

  As just a quick note, I also did some testing with the Admin API, specifically getting the active session count and the session info itself.
  
  <cfinvoke component="cfide.adminapi.administrator" method="login" adminPassword="admin">
  <cfinvoke component="cfide.adminapi.servermonitoring" method="getActiveSessionCount" cfapplicationname="stest" returnVariable="sc">
  
  <cfoutput>Total session count: #sc#<br/></cfoutput>
  
  <cfinvoke component="cfide.adminapi.servermonitoring" cfapplicationname="stest" method="getActiveSessions" returnVariable="sessions">
  
  <cfdump var="#sessions#">
  
  I noticed that when I cleared, it had no impact on the session information returned (ie, time since last access, age, etc). So it looks like, under the covers, there is nothing wrong with structClear(session). If you don't use cfid/cftoken/sessionid in code itself then it should be safe.

• Comment 2 written by Scott P on 2 January 2009, at 11:40 AM

  

  I use this instead, provides me a bit more control.
  
  <cfset safeList = "sessionid,urltoken,cfide,cftoken">
  <cfloop collection="#session#" item="i">
     <cfif not ListFindNoCase(safelist,i)>
        <cfset structDelete(session,i)>
     </cfif>
  </cfloop>

• Comment 3 written by Red on 2 January 2009, at 1:02 PM

  

  I have similar code to Scott's, but I do experience some weird session/caching behavior - I hope I don't deviate too much from the subject.
  
  Basically, I login as user A, logout, login as user B, then I click on user-related parts of the site, and I get User A info. When I refresh the page it displays the correct user. CFID/CFTOKEN don't change as one would expect, rather, it takes few logout/refresh for them to change. Also, I added some debugging code onRequestStart() and it doesn't show every time(especially when it flips to the previously logged in user).
  
  By adding rand() to the end of each user-related link on the site I fixed the problem(well if you can call that a fix).
  
  I've never experienced this before, and I am sure I had to go out my way to break this. I searched around, and I couldn't find anything similar to this problem. I wonder if anyone has seen this before?
  
  Thanks

• Comment 4 written by DanaK on 3 January 2009, at 12:06 PM

  

  We have off again and on again session problems with people dropping their cfid/cftoken all the time, or with what Red said. It won't happen for weeks then all of a sudden boom it happens 110 times a day for 2 weeks. Removing structClear() was one of the first things I did (to no avail!).
  
  I think I've torn things apart 100x and never could figure it out. I notice IE 6.x has various builds that were pushed out that would wreak general havok with session id's dropping on page hits etc.

• Comment 5 written by Raymond Camden on 3 January 2009, at 8:51 PM

  

  @Red: First, you should NOT expect CFID/CFTOKEN to change. Those values are unique to your browser and machine. They have ZERO to do with actual session data. So when you logged in as A, then logged out, and came back as B, you were still on the same machine, so you would have the same CFID/CFTOKEN values.
  
  You note that when you refreshed a page it seemed to show the right data - that could just be the browser cache aain. So I'd use the suggestions from this entry: http://www.coldfusionjedi.com/index.cfm/2009/1/1/A...

• Comment 6 written by Raymond Camden on 3 January 2009, at 8:52 PM

  

  Another way to think of the CFID/CFTOKEN not changing this. You get a phone number, right, 555-1111. The number is associated to you, Red. Then you die (sorry!) and I move in to your home and get your phone number. It's the same number, but now the name associated with it is Ray.

• Comment 7 written by Elliott Sprehn on 4 January 2009, at 4:56 AM

  

  @Red
  
  CFID and CFToken are sent in cookies when the session is started and your browser stores them for as long as the Set-Cookie header told it to. CF will only send you a new CFID and CFToken if your session expires or your browser didn't send the cookies (they didn't exist, or they expired).
  
  As Ray said, the issue you're describing, and the fix with a random number, is definitely a browser caching problem.

• Comment 8 written by Brian on 5 January 2009, at 11:49 AM

  

  I'm being lazy, but does this also apply to jsessionid?
  
  @DanaK: We've seen that behavior when the cluster, er um, cluster-bombed... A user would be coming in through the master IP, but for some inexplicable reason, the affinity to a node never stuck...Which resulted in a new cfid/token with about every couple of hits...happened with predictable regularity on form submissions. And this was browser agnostic.

• Comment 9 written by Raymond Camden on 5 January 2009, at 11:50 AM

  

  @Brian: I did not run my test w/ j2ee sessions turned on. I'd imagine we would see the same (the particular value would go away, urltoken would still work right, and sessions would still be fine anyway).

• Comment 10 written by Red on 5 January 2009, at 5:29 PM

  

  Ray, Elliott, thanks for the explanation.
  
  Ray, How do I "die" :(, and take my phone number with me, gracefully?
  
  Elliott, I can expire CFID/CFTOKEN cookies on logout?
  
  If I use StructClear() and get rid of CFID/CFTOKEN, at which point will ColdFusion send a new pair of CFID/CFTOKEN?
  
  I do understand that the issue I originally asked about is due to caching, and is NOT related to sessions.
  
  Thx

• Comment 11 written by Raymond Camden on 5 January 2009, at 6:30 PM

  

  @Red - I don't think you get it (or I don't get your comment). There is no need to delete cfid/cftoken. You want to remove YOUR data, not the markers CF uses to uniquely identify you. If on login you set session.loggedin=true, then on logout you simply remove that variable: structDelete(session, "loggedin")

• Comment 12 written by Red on 5 January 2009, at 8:12 PM

  

  eh, I get it... Thanks

• Comment 13 written by Don on 8 January 2009, at 4:18 PM

  

  So now comes my problem with this. I do <cfset structClear(session)> and get the error "Variable SESSION is undefined"
  
  I've even tried
  <script>
  structClear(session);
  </script>
  and get the same error.
  What am I doing wrong?

• Comment 14 written by Raymond Camden on 9 January 2009, at 12:38 PM

  

  The only way you would get that error is if it was on a page w/o any application context. Ie, a request where Application.cfc or .cfm was run. (And of course, sessionmanagement has to be turned on for the app.)

• Comment 15 written by Don on 9 January 2009, at 1:19 PM

  

  Well, none of that is true. It is actually in the application.cfc file and session management is turned on.
  
  I've run into this everytime I've tried to do it. Really strange. Different servers too.
  
  The one I'm doing now has this in the application.cfc file.
  <cfif ISDEFINED("url.reset") and url.reset is "DOIT">
  <cfset #structClear(session)#>
  <cflocation url="index.cfm">
  </cfif>

• Comment 16 written by Raymond Camden on 10 January 2009, at 8:04 AM

  

  Can you show us more of the App.cfc file? Please use a code pasting service like pastebin.

• Comment 17 written by Henry Ho on 13 March 2009, at 5:53 PM

  

  In the CF8's doc on StructClear():
  http://livedocs.adobe.com/coldfusion/8/htmldocs/he...
  
  "Do not call this function on a session variable. For more information, see TechNote 14143..."
  
  which is,
  
  ColdFusion 4.5 and the StructClear(Session) Function
  http://www.adobe.com/go/tn_17479
  
  The last workaround looks interesting. Kill the app? Wouldn't all active Session's be killed?

[Add Comment] [Subscribe to Comments]