I have ColdFusion 11 with 2 instance, with Sticky Sessions and Session Replication.
I noticed that JSESSIONID changes every time I close and open the browser is that supposed to be like this? Shouldn't the JSESSIONID be the same while my session is not cleared?
Unlike using ColdFusion sessions (CFID/CFTOKEN) where a session can be resumed after a browser is closed and reopened, J2EE sessions cannot. While technically the session is still open on the server (until it times out), it cannot be accessed again by a browser client.
Related
I'm currently working on a React project. The development server (Bottle/Python) for the project is hosted remotely, and my React dev-server is localhost. Part of the authentication process for the application involves setting a cookie on login, but because of same-site and secure rules that cookie is not being set, meaning that my dev frontend can't access any of the data that it needs.
Myself and the server engineer have added SameSite=None to the cookie as well as secure, but because my localhost is not https the cookie is still not being stored properly (I get the error message "this Set-Cookie" was blocked because it had the "Secure" attribute but was not received over a secure connection").
There are no issues when the app is deployed because everything is on the same domain, but for now we're stuck - we've been trying to solve the issue for several hours but can't seem to get it.
My question is - what is the best development practice if you need to access a non-local development server, but can't actually just have your own version of the server running on your local machine?
Do I:
Need to make my localhost https somehow?
Need to make the dev-server domain https?
Need to install the server locally because there's just no way to do this?
Apologies if this is a noob question, it would be great to have some advice.
Many thanks.
The short answer is:
No
Yes
No
You can run your app on http://localhost:port. Assuming response from your dev server has in response headers Set-Cookie of the cookie which has Secure flag, your dev server URL has to be https in order to have the cookie accepted by the browser.
I have this setup and it works just well.
Regarding CORS (as mentioned in the title of the question): you have to have you server configured to accept credentials and to have allowed origins configured. The client app when doing XHR request has to have withCredentials:true. Check the points 2 and 3 in my post for details.
Also note, that if you are using Chrome you can bypass for development purposes the requirement to have SameSite=None and Secure by disabling the flag "Cookies without SameSite must be secure", also detailed here
I'm working on ColdFusion 11 project with IIS server. I'm facing a problem with the Coldfusion services. The ColdFusion 11 application server automatically stops suddenly, and after restarting the service it works for 2 minutes and again shuts down.
The status on the Services shows 'Running' but when I cross-check with the administrator its already stopped. While restarting the service it also throws an Error:1053. I have tried with the registry editing and adding the 'ServicesPipeTimeout' but it didn't work. Please help to resolve the automatic shutting down of the service.
Recently some users have been experiencing this error. This error doesn't appear until the user is in the application for a bit (Ranged from a couple minutes to hour and a half).
When this issue first came up, I modified the application.cfm file which contains the timeout variables. This helped one user, but now more are experiencing the same error. Below is the modified code, I exended the timeout to 200 minutes.
<CFAPPLICATION
NAME="MyApplication"
SESSIONMANAGEMENT="Yes"
sessiontimeout="#CreateTimeSpan(0,0,200,0)#"
applicationtimeout="#CreateTimeSpan(0,0,200,0)#">
My question: Users are still experiencing this timeout error within 5 minutes, after I set the timeout to 200 minutes. Can there be a variable or something that is set on the CF Admin side which overrides my timeout span? If there is not, I will need to research into this more. Any suggestions or comments are helpful, thanks.
You definitely need more info from the hosting provider. Common issues include:
They are load balancing and not using sticky sessions. So the user will have to login and create a session on each server that is part of the loadbalanced cluster.
They have a proxy or webserver in front of the ColdFusion server with configuration that alters the response from the ColdFusion server.
They have settings in the CFAdmin console that limit the application settings, as per the comments provided by TRose and Chris.
So the concern is timing out: IIS, Apache, and TomCat web services can timeout as well. For example if Apache is set to timeout in 300 seconds but Coldfusion is set to timeout in 350 the web service will always trigger beforehand (it won't matter what you do in Coldfusion Admin or Cfsettings because the web server supersedes it).
So web server timeout implementations could front run your Coldfusion to timeouts.
one day we have met a problem with connecting to the CRM server from outside. When we tried to use web service for the communication with the CRM or use some Microsoft utilities, like crmsvcutil.exe the server returned the following error:
Exiting program with exception: The underlying connection was closed: A connection that was expected to be kept alive was closed by the server.
When we used CRM WS it seemed, that for the first query it worked correctly and returned the data. However when we put another query it failed.
I have found this can also be if you try to return an IEnumerable of something from a service to a client.
Enumerate it first (basically call ToList()) to ensure all data is retrieved before the program flow moves on and the connection is terminated.
We have found the following solution which can be useful for you:
The problem has been in the settings of the CRM on the IIS. Open the IIS and disable "HTTP keep-alive" option (CRM web site -> HTTP Response Headers -> Set Common Headers… in Action panel) - http://www.dotnetscraps.com/dotnetscraps/post/did-you-know-enable-http-keep-alive-in-iis-7-75.aspx
If you can't disable the keep alive option for the whole CRM, you can update your code which uses CRM web service (disable keep alive settings in the code) - http://weblogs.asp.net/jan/archive/2004/01/28/63771.aspx
if IFD is enabled then we need to check w.r.t WPC Token expiration.
I am writing an HTTPS based application using Apache2 as the web server, and python as the language (not sure which framework or Apache2 mod yet). After clients (which are not web browsers) first establish an HTTPS connection to the server, they are expected to send an authentication message. If authentication is successful, they are able to send more commands, until the connection is closed (HTTP 1.1 will be used, with a long keep alive time). My question is, is it possible to have state associated with the connection? I don't want the client to have to send cookies or session ids -- the HTTPS application should be able to figure out the session based on the connection that each request belongs to...the question is how?
HTTP/S is a State less protocol, so you if you don't want to have cookies maintaing the state then you must pass on the state to server each time using hidden variables or query params or some other means and take care of it in server side.
One possible solution is using SSL_SESSION_ID, which is accessible to applications using mod_python, to uniquely identify each client. The problem with this is the ID can apparently change -- but it isn't clear to me whether it can change in the middle of a connection (which would be problematic), or only between connections (which is good -- I actually would need to enforce this behavior).
Anyway, this is the sort of thing I'm looking for, if it wasn't clear from the original question.