CF10 Session Id changing on each page request?

-

in cf10, login not working in cf9.

session variables set 'unset' every time new page called, getauthuser.

to troubleshoot problem, found unexpected behavioral change cf9.

in case it's pertinent, using orm.

 

in application.cfc, had:



this.sessionmanagement

= "true";


this.sessiontimeout

= createtimespan(0,0,30,0);


this.loginstorage

= "session";


this.setclientcookies

= false;

 

in onsessionstart function, had:




<cfset session.isloggedin
= 0/>



<cfset session.username
= ""/>



<cfset session.email
= ""/>



<cfset session.termsaccept
= 0/>

 

in onrequeststart function, had:

<cfif session.isloggedin eq 0>

<cfif findnocase("login",requestedpage) eq 0 , findnocase("index",requestedpage) eq 0>

<cfinclude template="userinterface/session/login/login-v.cfm">

</cfif>

</cfif>

 

even after valid login, got login page.

dumping session variables, set application.cfc values @ beginning, , set correct values login @ end.

login-v.cfm posts login-cm.cfm, after validating user credentials has code:

<cflock scope="session" timeout="20" type="exclusive">

<cfset session.isloggedin = 1/>

<cfset session.username = "#appuserobj.getusername()#"/>

<cfset session.email = "#appuserobj.getemail()#"/>

<cfset session.termsaccept = "#appuserobj.gettermsaccept()#"/>

</cflock>

<cflogin>

<cfloginuser name = "#appuserobj.getusername()#"

password = "#appuserobj.getpassword()#"

roles= "#appuserobj.getuseraccessdata().getroles()#"/>

</cflogin>

 

so, changed onrequeststart dump session variables.

going login-v.cfm initially, onrequeststart dump gave me this:

email[empty string]
isloggedin0
sessionidspnew2_3477_95978872
termsaccept0
username[empty string]

 

after successful post login-cm.cfm, setting session variables , cfloginuser,

a session dump gave me this:

emailtesting@meltech.com
isloggedin1
sessionidspnew2_3477_95978872
termsaccept1
usernametesting

and getauthuser() = testing

i cflocation userinerface/portal/portal-v.cfm

going that, onrequeststart dump gave me this:

email[empty string]
isloggedin0
sessionidspnew2_3479_18042427
termsaccept0
username[empty string]

a different session!

 

i able work around problem changing application.cfc to

this.loginstorage


= "cookie";

sessions maintained.

 

what's this? don't recall seeing in cf10 security release notes sessions changing request pages when use session login storage?

this problematic me, don't want use cookies!

 

any ideas?

 

edited -

also, onsessionstart increment sessions appears request based, rather session based

onsessionstart has

<cflock scope="application" throwontimeout="yes" timeout="7" type="exclusive">

     <cfset application.currentsessions = application.currentsessions + 1>

</cflock>

so, start currentsessions = 0 (new application start)

after login-v,login-cm , portal-v, have currentsessions = 3 instead of 1.

i confused when these events firing



More discussions in ColdFusion


adobe

Comments

Post a Comment

Popular posts from this blog

Adobe Acrobat Pro , Terminal Server Use

-
hello,   a fellow employee requires adobe acrobat pro installed use, , management me have sorted out. employee uses thin client connect terminal server of administration work.   i require single license adobe acrobat pro used single user.   will there license issues installing adobe acrobat pro on terminal server?   can install adobe acrobat pro on terminal server?   thanks, david hi david,   yes, can install acrobat terminal servers... !   the licensing terminal server considered normal licensing process, means need buy many number of licenses acrobat number of users accessing terminal server (like citrix) access software. eg if 10 users accessing citrix server @ particular time use acrobat software need 10 licenses same. More discussions in Installing, Updating, & Subscribing to Acrobat adobe
Read more

Thread: transmission-daemon isn't playing nice: "409: Conflict"

-
409: conflict request had invalid session-id header. fix this, follow these steps: when reading response, x-transmission-session-id header , remember it add updated header outgoing requests when 409 error message, resend request updated header requirement has been added prevent csrf attacks. error occurs when apache not running. i've tried zillion different proposed solutions involving rewriterules , proxypasses golly i'm clueless. me? following apache thing, y'know, in case. code: <virtualhost *:80> rewriteengine on documentroot /var/www <directory /> options followsymlinks allowoverride none </directory> <directory /var/www/> options indexes followsymlinks multiviews allowoverride none order allow,deny allow </directory> scriptalias /cgi-bin/ /usr/lib/cgi-bin/ <directory "/usr/lib/cgi-bin"> allowov...
Read more

Thread: gpg: Conflicting Commands

-
Image
hi, relatively new linux (have used many live disks) , have had install of ubuntu 12.04 few days now. part have found easy use , have been comfortable it. have first question can't resolve myself: adding googles repository list. when first ran command supplied google found did not have wget installed. used apt-get install it. worked fine (as far can tell) re-ran googles code : wget -q https://dl-ssl.google.com/linux/linux_signing_key.pub -o- | sudo apt-key add -deb http://dl.google.com/linux/deb/ stable non-free , message 'gpg: conflicting commands' tell me going wrong , how fix please new script : wget -q https://dl-ssl.google.com/linux/linux_signing_key.pub -o- | sudo apt-key add linux_signing_key.pub need edit /etc/apt/sources.list , add line @ end deb http://dl.google.com/linux/deb/ stable non-free end hope find usefull edit: need root or use sudo make changes /etc/apt/sour...
Read more