tracker issue : CF-3354476

select a category, or use search below
(searches all categories and all time range)
Title:

Session reset on each page load on IE for certain machines

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/CannotReproduce

Reporter/Name(from Bugbase): SCOTT BUCKEL / SCOTT BUCKEL (sebumd)

Created: 10/27/2012

Components: Security

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Final /

Priority/Frequency: Major / Some users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 2

Problem Description:

New sessions are started for each page load in certain IE users.  Not all users are affected, though.

Steps to Reproduce:

<cfcomponent output="true">
	<cfset this.name = "CZTest123">
	<cfset this.sessionManagement = true>
	<cfset this.loginStorage = "session">
	<cfset  this.sessionTimeout = CreateTimeSpan(0,1,30,0)>
	
</cfcomponent>


Then in index.cfm:

<cfoutput>
	#session.sessionid#
</cfoutput>



Actual Result:
New session.sessionID reported for each page load for some users.


Expected Result:
Same sessionID used for each page load unless session is reset.

Any Workarounds:
None,

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3354476

External Customer Info:
External Company:  
External Customer Name: sebumd
External Customer Email:  
External Test Config: My Hardware and Environment details:

Windows Server 2008 R2

ColdFusion 10 with latest patches



Three different Win7 machines as the clients.  Not all Win7 Machines affected, though.  Only IE.

Attachments:

Comments:

I've blogged about the issue here: http://www.corporatezen.com/cf10bug
Comment by External U.
17331 | October 27, 2012 11:33:41 AM GMT
I just figured out a workaround for the issue in IE9 on Windows 7. If you disable "protected mode" sessions will work again. Not all IE's require this.
Comment by External U.
17332 | October 30, 2012 12:05:46 PM GMT
We migrated to our live environment and this bug is recreated on IE9 for some clients in our CMS. On the same machines that didn't work for the other sites (before we migrated some things live), the live environment works fine.
Comment by External U.
17333 | November 27, 2012 02:29:48 PM GMT
Workaround: Use J2EE session variables in the CF Admin tool. This looks to be a bug in the way sessions are handled in CF10 when not using J2EE session variables.
Comment by External U.
17334 | November 27, 2012 03:02:15 PM GMT
We're encountering the same issue and it's a HUGE problem for us. IE9 users will freqently start new sessions with every request, rendering our website useless. Seems to be more likely if user is accessing our site from multiple tabs. Please get this fixed. Session hijacking and security are not a big concern for us. But buggy sessions that don't work will drive away all of our customers. PLEASE FIX! We're using ColdFusion sessions, not J2EE.
Vote by External U.
17335 | March 31, 2013 11:19:27 AM GMT
This problem for me began when we upgraded from CF 8 to CF 10.
Vote by External U.
17336 | September 03, 2014 12:43:34 PM GMT