Losing session variables between two pages

Question

This is a weird one. I've recently moved the site to shared hosting on CF11 (I believe), so I don't know if that has anything to do with this. It wasn't happening before.

I'm still using application.cfm (not cfc) and it currently looks like this:

<CFAPPLICATION 
    NAME="catholicity"
    SESSIONMANAGEMENT="Yes"
    SESSIONTIMEOUT=#CreateTimeSpan(0,2,0,0)#
    CLIENTMANAGEMENT="Yes"
    CLIENTSTORAGE="Cookie"
>

Our site catholicity.co.nz allows users to add business listings. The listing process is done in steps, first selecting a category, then entering further details. We store listing data in a session variable named "session.post". After a category is selected, jQuery code passes the selected category to a coldfusion cfc function, which creates session.post and adds the selected category to it (session.post.category). The jQuery then loads a new page for entering further details. I have confirmed that jQuery can read the session scope created in the cfc. It is on this second page that the session scope seems to be getting lost. Session.post does not appear when I dump the session scope at the top of this new page.

javascript redirect code looks like this:

top.location.href="/post/post.cfm?cat=" + cat + "&subcat=" + subcat + "&mode=" + mode;

The cat and subcat values are read directly from the cfc which returns session.post

<cffunction.....>
   ...
   <cfset session.post.category = nCategoryId & "^" & sCategory>
   <cfset session.post.subcategory = arguments.id & "^" & sSubcategory>
   <cfset session.post.prev="subcategory_id">
   <cfset session.post.next="details">
   ...
   <cfreturn session.post>
</cffunction>

The strange part is that if a user is logged in at the time they create a new business listing, this issue does not occur. I'm not sure why because logging in creates a separate session variable named session.user and as far as I know there isn't any connection between session.user and session.post.

The issue is testable at http://www.catholicity.co.nz, and clicking on " Add business" at the top. I have dumped out session and client scope on the first and second pages, with a JS alert on callback from the initial cfc call.

EDIT

My application.cfm looks like this:

<CFAPPLICATION 
    NAME="catholicity"
    SESSIONMANAGEMENT="Yes"
    SESSIONTIMEOUT=#CreateTimeSpan(0,2,0,0)#
    CLIENTMANAGEMENT="Yes"
    CLIENTSTORAGE="Cookie"
>

<cfif structKeyExists(session,"cfid")>
    <cfcookie name="cfid" value="#session.cfid#" expires="NOW">
    <cfcookie name="cftoken" value="#session.cftoken#" expires="NOW">
</cfif>

<cfif structKeyExists(url, "logout")>
    <cfset session.user.authenticated = 0>
</cfif>

<cfparam name="session.cfid" default="">
<cfparam name="session.cftoken" default="">

<cfparam name="session.mode" default="temp">

<cfparam name="session.user.authenticated" default="0">
<cfparam name="session.user.confirmed" default="0">
<cfparam name="session.user.disabled" default="0">
<cfparam name="session.user.id" default="">
<cfparam name="session.user.email" default="">
<cfparam name="session.user.contact_name" default="">

<cferror type="exception" template="/error.cfm">

<cfscript>
    application.accepted_docs = "application/pdf,application/msword,application/vnd.ms-excel,text/plain,vnd.ms-word.document.12,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";
    application.accepted_images = "image/jpg,image/gif,image/jpeg,image/png,image/x-png,image/pjpeg ";
    application.accepted_videos = "video/x-flv,video/mp4,video/x-msvideo,video/x-ms-asf,video/x-ms-wmv,audio/x-ms-wma";
....
</cfscript>

<cflock name="#APPLICATION.applicationName#" 
        type="Exclusive" 
        timeout="20" 
        throwontimeout="Yes"> 

    <cfparam name="APPLICATION.SessionTracker" default=#StructNew()#> 

    <cfscript>
        sUserInfo = StructNew();
        sUserInfo.Address="#CGI.REMOTE_ADDR#";
        sUserInfo.CFID="#session.cfid#";
        sUserInfo.Token="#session.cftoken#";
        sUserInfo.Address="#CGI.REMOTE_ADDR#";
        sUserInfo.Time="#Now()#";
        sUserInfo.Template="#CGI.CF_Template_Path#";
        ID = "#session.cfid##session.cftoken#";
    </cfscript>

   <CFSET dummy = StructInsert(APPLICATION.SessionTracker, ID, sUserInfo, true)> 
</cflock>

I've tried commenting out potentially-dodgy code sections, to no avail.

Why your CFID and CFToken is is blank? in your reposnse header I can see set-cookie CFID and CFTOKEN multiple times and last one in the list is set to blank! — Keshav jha, Jun 28 '19 at 09:09
@user460114, Your session dump seems like have empty value for cfID & CFToken keys . You have to check three things 1) check your application get restart for each every request .2) Check where the session get clear in your application. Else provide here the entire application.cfm file. here regarding session related code. 3) Check your application having any application.cfc file in your root directory. Because cf11 hit the application.cfc first. If you have application.cfc in your root then check that file, where your session get cleared. — Kannan.P, Jun 28 '19 at 09:49
Hope, you're doing AJAX call. What is the return type of that function which is return the session.post value? If the function return type is void means that will not return anything. So that session.variable will not display anymore. — Sathish Chelladurai, Jun 28 '19 at 11:06
@SathishChelladurai it's does not a matter whether the function return is void or not. The CFID & CFToken should have value once the session in started. Make sure there is no relationship between the function and cfID values. The function having user, post, next,prv only. — Kannan.P, Jun 28 '19 at 11:21
I would check if there is another `application.cfm` or `application.cfc` nearby — James A Mohler, Jun 28 '19 at 15:30
Thanks for the suggestions. I have edited the question to include my application.cfm. There is no competing application file anywhere in the tree. Kanna.P suggested making sure application restarts for every request and checking where the session clears. How do I check these? As far as I can tell the session clears immediately after returning from the cfc function. In case it was a caching issue, I deliberately did a complete page refresh in the jQuery redirect call. Previously, I used jQuery load() function to load the details template within an existing div. Anyone available for paid help? — user460114, Jun 28 '19 at 23:14
@user460114 Why you're expiring the cfcookie value based on the condition structKeyExists(session,"cfid") ? — Sathish Chelladurai, Jun 29 '19 at 06:18

score 3 · Accepted Answer · edited Jul 01 '19 at 14:46

I did a test with your Application.cfm page. As I said in the above comments, your session gets restarted for each and every request. (I mean your CFID & CFToken values are changed for every request).

I went through your code flow. Here you are resetting the CFID and CFToken cookies with the session values.

<cfif structKeyExists(session,"cfid")>
    <cfcookie name="cfid" value="#session.cfid#" expires="NOW">
    <cfcookie name="cftoken" value="#session.cftoken#" expires="NOW">
</cfif>

On every request, the Application.cfm page is executed. At that time, the above condition structKeyExists(session,"cfid") returns true for every request. So every request runs the <cfcookie> code. You have set the cookies to expire "Now", which means they expire immediately. So that your session is considered as a new one. This is the problem in your application.

As per the docs

The cookie expires when the user closes the browser, that is, the cookie is "session only".

So please check your above condition. I'm not sure why you are expiring the cookie immediately. Maybe your business logic is like that, but the code logic is not correct.

So change this logic as per your business needs. Please remove that code and restart your application and then you will get only one CFID and CFToken for each and every request until the session expires.

The below image I've run the application to set CFCookie value. It's considered a different CFID & CFToken value for every request. You can see below the CFID is different, like 2106,2107,2108

If I remove the condition with cookie value, it's considered only one session. The CFID remains 2109 until the session expires.

So please correct your condition and CFCookie functionalities. That's the cause of the problem.

Thanks Kannan, but that wasn't the problem. I thought that code might be causing issues, so I already tried removing, in fact, everything from the application.cfm except the basics. Nothing worked. It only works without issues when a user is logged in. If user not logged in, sometimes it works but mostly it doesn't. I'll have to figure out why. — user460114, Jun 29 '19 at 07:15
No @user460114. You can see my above screen shot. I've did some sample app by using your code. By remove that cookie It's working fine. Did you change your application name ? Or restart the cfm service after remove that code ? If not please try that do. And try to use private browser while in a test mode. Update me for further clarifications. But I fixed that issue in my local. — Kannan.P, Jun 29 '19 at 07:19
Yes, you are right. The problem was with caching. After thoroughly clearing the cache, everything is ok again. Thank you. — user460114, Jun 29 '19 at 21:17
@Kannan.P, In my application.cfm I'm facing the same issue with cfcookie session management, am not using expires="now" attribute, but sometimes until and unless the browser closes then only the session works otherwise all session variables are lost. Any idea.. — Prabha, Jan 18 '22 at 17:27

Losing session variables between two pages

EDIT

1 Answers1