tracker issue : CF-3430245

select a category, or use search below
(searches all categories and all time range)
Title:

Session gets lost on cflocation width J2EE Sessions and Cookies disabled

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Jörg Zimmer / Jörg Zimmer (Jörg Zimmer)

Created: 12/17/2012

Components: Core Runtime, Session Management

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Final / CF10_Update14

Priority/Frequency: Major / All users will encounter

Locale/System: English / Linux Ubuntu 10.04

Vote Count: 0

Listed in the version 11.0.03.292480 Issues Fixed doc 
Problem Description:
When using cflocation with enabled J2EE Sessions, the redirect doesn't respect the ;jsessionid on the url.
So the session gets lost.

Steps to Reproduce:
-post to form with action="#urlsessionformat("login.cfm")#"
 this makes action="login.cfm;jessionid=xxxx"
-after successful login, redirect to index.cfm with cflocation addtoken?true
 this redirects to index.cfm?jsessionid=xxxx not index.cfm;jsessionid=xxxx
-user loses session on index.cfm and (in my case) is redirected back to login.cfm

Actual Result:
see above

Expected Result:
redirect to index.cfm;jsessionid=xxxxx

Any Workarounds:
Forcing clients to enable cookies, which is impossible for thounsands of users

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3430245

External Customer Info:
External Company:  
External Customer Name: Joerg.Zimmer
External Customer Email:  
External Test Config: My Hardware and Environment details:

Ubuntu 10.04 64bit and CF10 Standard x64 with update6 installed.

Attachments:

Comments:

please add this to default mod_jk.conf as this avoids the 404 error from apache when accessing a page with added ;jsessionid <LocationMatch "/.*;jsessionid=.*"> SetHandler jakarta-servlet </LocationMatch>
Comment by External U.
16905 | December 17, 2012 06:00:34 AM GMT
Adobe, This is not completely fixed in CF11 Update 3. When cookies are disabled, and J2EE sessions are enabled, a 404 is thrown for the following examples: <cflocation url="?myparam" addtoken="yes" /> <cflocation url="/" addtoken="yes" /> <cflocation url="/mydir" addtoken="yes" /> <cflocation url="/mydir/" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/mydir" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/mydir/" addtoken="yes" /> When 404s are not thrown for valid URLs, then this ticket would be fixed. Thanks!, -Aaron
Comment by External U.
16906 | November 05, 2014 02:40:48 AM GMT
If the form is self-posting (w/ cookies disabled and J2EE sessions enabled), an error is thrown before cflocation even runs. Example (verified in CF11 Update 3 - 11,0,03,292024(PreRelease) on x64 Win8.1 w/ IIS): Application.cfc --------------------- component { THIS.name = "ticket_CF-3430245"; THIS.sessionManagement = true; } index.cfm -------------- <cfif structKeyExists(FORM, "submit")> <cflocation url="target.cfm" addtoken="yes" /> </cfif> <cfform action="#urlSessionFormat('')#"> <cfinput type="submit" name="submit" value="submit"> </cfform> <cfdump var="#sessionGetMetadata().startTime#" /> target.cfm --------------- <cfdump var="#sessionGetMetadata().startTime#" /> Thanks!, -Aaron
Comment by External U.
16907 | November 10, 2014 02:59:00 AM GMT
This still isn't fixed in CF11 Update 3 (11,0,03,292245(PreRelease)). If the form is self-posting (w/ J2EE sessions enabled and cookies disabled), an error is thrown before cflocation even runs. Please see 12:29:00 AM GMT+00:00 Nov 10, 2014 comment for repro code. 404 is also thrown if cflocation is any of these (w/ J2EE sessions enabled and cookies disabled): <cflocation url="?myparam" addtoken="yes" /> <cflocation url="/" addtoken="yes" /> <cflocation url="/mydir" addtoken="yes" /> <cflocation url="/mydir/" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/mydir" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/mydir/" addtoken="yes" /> Thanks!, -Aaron
Comment by External U.
16908 | November 21, 2014 07:45:07 AM GMT
This still isn't fixed in CF11 Update 3 (11,0,03,292480). If the form is self-posting (w/ J2EE sessions enabled and cookies disabled), an error is thrown before cflocation even runs. Please see 12:29:00 AM GMT+00:00 Nov 10, 2014 comment for repro code. Please see 5:15:07 AM GMT+00:00 Nov 21, 2014 comment for more details. Thanks!, -Aaron
Comment by External U.
16909 | December 02, 2014 11:25:41 PM GMT
Adobe, This wasn't fixed for self-posting forms. This should be fixed for self-posting forms. Thanks!, -Aaron
Comment by External U.
16910 | December 11, 2014 05:48:39 AM GMT
*bump*
Comment by External U.
16911 | December 26, 2014 06:19:37 PM GMT
Hello?? This was never fixed for self-posting forms. Repro: Application.cfc --------------------- component { THIS.name = "ticket_CF-3430245"; THIS.sessionManagement = true; } index.cfm -------------- <cfif structKeyExists(FORM, "submit")> <cflocation url="target.cfm" addtoken="yes" /> </cfif> <cfform action="#urlSessionFormat('')#"> <cfinput type="submit" name="submit" value="submit"> </cfform> <cfdump var="#sessionGetMetadata().startTime#" /> target.cfm --------------- <cfdump var="#sessionGetMetadata().startTime#" />
Comment by External U.
16912 | September 04, 2015 12:21:16 AM GMT
And none of these work properly yet w/ J2EE sessions enabled (tested on IIS): <cflocation url="?myparam" addtoken="yes" /> <cflocation url="/" addtoken="yes" /> <cflocation url="/mydir" addtoken="yes" /> <cflocation url="/mydir/" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/mydir" addtoken="yes" /> <cflocation url="http://#CGI.HTTP_HOST#/mydir/" addtoken="yes" /> Adobe, enabling J2EE sessions shouldn't break stuff. Please fix. Thanks!, -Aaron
Comment by External U.
16913 | September 04, 2015 12:39:13 AM GMT