10

I have a web page that you log into which then creates a session variable that’s checked on all subsequent page accesses and if it doesn’t exist or doesn’t match whats recorded against the session ID you get kicked out of the page.

Code Here: Application.cfm session setup:

<CFAPPLICATION NAME="myAPP" APPLICATIONTIMEOUT="#CREATETIMESPAN(0,0,60,0)#"  sessionTimeout=#CreateTimeSpan(0, 0, 20, 0)# sessionManagement="Yes">

Checked session variable set:

<CFLOCK TIMEOUT="30" THROWONTIMEOUT="no" TYPE="Exclusive" Scope="session">
  <CFSET session.started = #ucase(dbGUID)#>
</CFLOCK>

Now the page also loads data into different DIV’s every few seconds via JQuery’s load() method, from different backend pages. This all works fine for some people who have no issues at all, however some people it will work fine for anything from a few mins to a few hours and then suddenly Lucee will generate a new session causing the data loaded back in the main page to force the main page to refresh so you can log back in again. However what happens is that the page refreshes and the original session still actually exists so is then used again and the person in then able to see the page data again. This could happen loads of times for some people and never for others.

I’m sure it’s not personal as trying it on different PC’s for the same person it’s ok on some and not on others. Trying it directly on the web server (with a hosts file for the domain pointing locally) its fine and no issues. It doesn’t appear to be the load balancer as it happens both on and off the load balancer. Just to be clear as well, it’s not 1 specific page causing the new session, it could be any of the ones in use, it’s also not caused by the first attempt to get to the page as it could be accessed dozens of times prior to the new session being generated. It’s also not timeouts as the session timeout is set to 20 mins but it could happen within a minute of the original session being set.

Question is why does Lucee suddenly decide to create a new session (the old one still exists), and how could I stop it and/or get it to go back using the original session again.

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
haddow64
  • 676
  • 1
  • 7
  • 24
  • Is your ajax request targetting different hosts by any chance? As long as session references are sent via request, they are kept alive serverside and only timeout clientside once the browser is closed (session cookie expiry). If Lucee offers a new session, the client didn't send an existing session in his request (or it already expired). Do you log when the session is declined due to mismatch of your `dbGUID`? Does it happen? – Alex Dec 12 '17 at 21:55
  • Maybe the session has expired or reached an idle timeout. Do you see any server side alerts or logs when this happens? Also `.load()` may not use the same cookie... or may appear to the server as a new socket? – Twisty Dec 13 '17 at 16:55
  • When you say it happens off the load balancer as well how are you testing this? You also mention that using a host with local IP works fine. If you have access to the web server log do you see both requests hitting the same server when the issue occur? – jfrobishow Apr 18 '18 at 02:47

1 Answers1

0

Are you sure a new session really is being created? Or are you perhaps assuming that because session.started doesn't exist in some test that determines logged in status?

If so, there may be a different explanation. Or at least there is a better way to know if a new session is being created unexpectedly as you suppose.

First, note that you're doing a cflock, that's exclusive, with throwontimeout=no. The latter is usually an anti-pattern: if the lock can't be obtained within the timeout time, no error will be thrown, but the code within the cflock will not be run...and so the session.started will not be set. So any code testing its existence will think it doesn't exist--which maybe why you presume a new session is being created.

If you want to be able to know for sure if a new session is being created in these cases, output the session.sessionid var (or any other lucee-generated var shown in a dump of the session scope) which identifies the session distinctively. Is that value changing when you feel the session is unexpectedly created anew?

charlie arehart
  • 6,590
  • 3
  • 27
  • 25