tracker issue : CF-3849572

select a category, or use search below
(searches all categories and all time range)
Title:

CF10 Session variables lost

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/

Reporter/Name(from Bugbase): Brian Goetke / Brian Goetke (Brian Goetke)

Created: 11/10/2014

Components: Core Runtime, Session Management

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Final /

Priority/Frequency: Major / Some users will encounter

Locale/System: English / Solaris All

Vote Count: 0

Problem Description:Upon upgrading from CF8 to CF10 on Oct 17, 2014, Some of our users are losing their session variables right after they are set upon logging in to our web application.  This is affecting about 5% of users.

Steps to Reproduce: I cannot reproduce in any browser. 

Actual Result:

Expected Result:

Any Workarounds: For two IE browser users, installing Chrome worked.  For two others, having them delete their cookies worked.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3849572

External Customer Info:
External Company:  
External Customer Name: Brian Goetke
External Customer Email:  
External Test Config: My Hardware and Environment details:Solaris 10, Apache2.2.27 , CF 10

Attachments:

Comments:

This problem may be related to the change made to CF Session ID creation when the browser cookie passes a CF ID to CF server that does not have that Session ID in memory (ie. an old Session ID). I believe at CF9, Coldfusion now creates a brand new CF ID, instead of using the CF ID passed by the browser cookie. This was done for security reasons. what forces the browser to write the new CF ID to the cookie? Some browsers aren't doing it?
Comment by External U.
10196 | November 10, 2014 08:32:52 AM GMT
You don't mention if you're using cflocation. If you are there's been problems with that losing session variables. More info can be found here: http://helpx.adobe.com/coldfusion/kb/missing-session-variables-using-cflocation.html Also, if you haven't upgraded to Update 14 you might want to to try this. Adobe claims they fixed a related cflocation/j2ee session issue: https://bugbase.adobe.com/index.cfm?event=bug&id=CF-3430245
Comment by External U.
10197 | November 13, 2014 06:02:08 AM GMT
@ImpDust : Thank you for this piece of information. @Brian Goetke : We would like to know some more information to repro this issue, about the point where you are losing the session id (as soon as the cfml opens your web application or after logging in). Also could you mention if you are facing this issue with cf session/j2ee session/both. As "ImpDust" has pointed out, could you mention if you are using cflocation?
Comment by S P.
10198 | November 18, 2014 05:01:16 AM GMT
Since we are not able to repro this issue, it would be really helpful if you could provide us with the information as stated in the previous note.
Comment by S P.
10199 | December 03, 2014 03:03:39 AM GMT
Firstly, we do not have J2EE sessions turned on. We only use CF Session cookies. We were seeing the error after authenticating on the loginaction and being sent to the next page via script. For example: <script> url="payor_rollup/p_check_uncompleted.cfm"; document.location=url; </script> We have eliminated the problem by disabling the new rotating session ID security patch introduced in CF9 by adding the following argument in the JVM config. -Dcoldfusion.session.protectfixation=false
Comment by External U.
10200 | January 07, 2015 10:11:32 AM GMT
We just updated our servers (Windows 2008R2) to CF10 Update 15 (previous update level was 13) and are now experiencing this same issue with the same size user base affected. It only seems to be affecting users with IE9. Unfortunately, a couple of high profile apps are affected and IE9 is the corporate browser. Due to legacy code, we are not using J2EE sessions on these servers. We are continuing to research, but any insight would be helpful.
Comment by External U.
10201 | January 22, 2015 05:06:40 PM GMT
Just to update our experience with this. Having the end user completely reset IE to the defaults and deleting personal settings, eliminates the issue. We are not sure why, but happy that t is resolved.
Comment by External U.
10202 | January 26, 2015 09:48:41 AM GMT
Hi Brian, According to Stephen, resetting IE to the defaults and deleting personal settings has resolved the issue. Can you try this and confirm if you are still facing the issue? Thanks!
Comment by S P.
10203 | September 28, 2015 11:04:54 PM GMT
Since we have not got a response, we will be closing the bug for now. If you still face the issue or have any concerns, the bug would be reopened. Thanks!
Comment by S P.
10204 | October 12, 2015 05:14:02 AM GMT