I have an application that keeps giving me Variable undefined in session. This happens randomly. I can click on a page and get the error, log out and then back in and click on the same page and don't get the error, click three more pages fine, then click another page and get the error again. I have not found any rhyme or reason to it. In my application.cfm I have:
<cfset SessionTimeout = CreateTimeSpan(0, 2, 0, 0)>
<cfset LoginTimeout = 7200>
<cfapplication name="redbook"
clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="Yes"
clientstorage="cookie"
sessionTimeout = #SessionTimeout#>
In looking at a proxy debugger, I can see all my session variables declared on the page before it errors. On the next page (when it errors) the only session variables I see are:
cfid, cftoken, sessionid, urltoken
Has anyone else experienced this?
I am running Coldfusion Version 9.0.2.282541 on Windows Server 2008 R2.
Please let me know if you need any more details.
The issue was the load balancing. As it went from page to page, it sometimes switched servers, clearing out the session variables.
Related
I have migrated from ColdFusion 8 to Coldfusion 2016 and specified the path under CF Admin console. See picture. One of my file (login.cfm) is under /common directory outside webroot.
When I hit application url, first it finds index.cfm and then validate.cfm in which I am calling login.cfm using cfmodule. PLs check the lines of code here from validate.cfm.
<cftry>
<cfmodule template="/common/security/login.cfm"
login="#form.login#"
password="#form.password#"
returnvar="login_result">
<cfcatch>
<cf_error_logreg error="An error occurred checking for active PO in validate.cfm. Please report this error to #request.app.admin_email# immediately.">
<cfabort>
</cfcatch>
</cftry>
So it doesn't run the cfmodule and throws out of cftry block everytime when it finds some page from /common directory and shows the error message what is specified in cfcatch block. Which means it's not accessing the mappings which I have set in CF Admin console. Any idea?
I am using IIS as a web server.
Issue resolved. The mappings we did was right, but Application was failing to set the cookies. ColdFusion was unable to add the cookie we specified to the response. This is probably because we have used it to set one of the ColdFusion Session Cookies or Authentication cookie. I have fixed that.
To fix this, I logged in to Coldfusion Admin> Memory Variables and unchecked 'Disable updating Coldfusion internal cookies using Coldfusion tags/functions.'
Save settings and restarted the website. It worked.
I have this simple code in Coldfusion
<cfheader
statuscode="400"
statustext="There was something wrong with the request."
/>
<cfoutput>This is what I want to return as the output.</cfoutput>
<cfabort>
When I run this on my localhost running CF10, I get this output on my Chrome browser:
But when I run this same file on another server running CF11, I get this output:
Am I missing something? Is there some other way of doing this in CF11?
Any help would be really appreciated. Thanks.
The issue actually has nothing to do with ColdFusion, either 10 or 11.
By default, IIS shows not does not show the statustext portion of the error message; it only shows the statuscode number. This is a security feature to prevent data leakage. If you do want to show the statustext portion of the error message, that is called "Detailed Error Messages" in IIS.
Steps to enable Detailed Error Messages in IIS 7:
Open the IIS7 manager
Select the Website and on its features view, double click on "Error Pages".
Right click and select the "Edit Feature Settingsā¦" or select the same from the Actions pane (in the right hand side)
Select the "Detailed errors" radio button and click on OK
Now, even your client browsers will be able to see the detailed error messages.
More information:
https://blogs.msdn.microsoft.com/rakkimk/2007/05/25/iis7-how-to-enable-the-detailed-error-messages-for-the-website-while-browsed-from-for-the-client-browsers/
https://www.iis.net/learn/troubleshoot/diagnosing-http-errors/how-to-use-http-detailed-errors-in-iis
I have an application written in ColdFusion that allows users to log in. My login page is in the root directory in a sub-directory called "login". During the login process, the system checks the username and password against my database, and assuming they are legit, it sets a Session variable of "Session.LOGIN_ID". At the bottom of my login script, I can print the login_id to the browser without any problem. However, the last part of my login script is to redirect the user to the main home page, which is located in the root directory in a sub-directory called "main", and once in awhile the page fails to load and rather directs the user back to the login screen with a message stating that their session has ended due to inactivity.
I have a Application.cfc file defined in the "main" folder, with a onRequestStart method defined that checks for the Session.LOGIN_ID being defined. If it is not, it redirects the user back to the login page and shows the message that their session has ended due to inactivity.
My question is, why does my session variable not present in the onRequestStart method? It's strange because if I clear my browser cache and login, I'm able to log in without any problem.
Does this make sense to anyone? Any suggestions as to what I could look for that could be causing this problem? I tried to dump the session vars using cfdump var=#session# from within the onRequestStart method and CF throws and error stating that SESSION is undefined.
UPDATE
In response to Adam's request, there are not multiple domains involved. Also, no switching from HTTP to HTTPS. The login page however is not bound by the Application.cfc because the login page is located in my "login" folder. The Application.cfc file is located in the "main" folder, along with the other components of my application. As far as the screen shot of the cfdump, I don't want to offend anyone but I can't really post the screen shot due to the fact that it contains information pertaining the site and I'm not authorized to post such information. I can say that when I try to do a cfdump of the session scope, it DOES show a few items in the list such as cfid, tokenid etc. However the session.login_ID is not present.
UPDATE
Okay, so taking the suggestion from Frank I have the onRequestStart method set up so that it sends me an email with a dump of the session and cgi scope. I found the following. In the Session dump, the cfid is equal to 4830, and the cftoken starts with b8e0d5... However, in the CGI dump, under HTTP_COOKIE, the value says CFID=4609; CFTOKEN=dd15bc0.... Are they supposed to match?
For me, the situation was resolved by enabling J2EE sessions variables from within CF Administrator. See related post here https://forums.adobe.com/thread/1058200
This is a formatted comment in response to, "I just noticed that the items didnt match in the dump and figured I'd mention it in case they SHOULD match".
Whether or not they should match is up to the programmer, not us on StackOverflow. However, you debug this sort of things as follows.
if(actual result == expected result)
output 'yes'
else
output 'no' and the actual result and the expected result
I am trying to set my cookie CFIDE and CFTOKEN to be HTTPOnly in Coldfusion 9...
Here is what I have tried (didn't error but didn't work):
cookie.CFID = "#session.cfid#,httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#,httpOnly='true'";
I also tried (no go...and no error):
cookie.CFID = "#session.cfid#;httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#;httpOnly='true'";
And this (which I think only works in CF10):
cookie.CFID = {value="#session.cfid#", httpOnly="true"};
cookie.CFTOKEN = {value="#session.cftoken#", httpOnly="true"};
Then this (didn't error but didn't work):
cookie( name="CFID" value="#session.cfid#" httpOnly="true" );
cookie( name="CFTOKEN" value="#session.cftoken#" httpOnly="true" );
When I run these I do a empty cache hard reload in Chrome. When the page reloads I should see the Resources Cookies HTTPOnly column show check boxes.
I'm probably exhausted and could have hit the right combo of things above and I got a false positive on failure from jumping around too much. Sometimes cached things get the best of me.
I have the CFML container style that works but my Application.cfc is all script style and I want to keep it that way...So how do I do this script style in Coldfusion 9?
Update for my fix:
I used the getPageContex() below, but it didn't work as it was. Also onSessionStart() event handler changed to create the session.CFID and session.CFTOKEN with the CreateUUID() which is also new in my Application.cfc file. So for posterity here is what that block of code looks like.
function onSessionStart(){
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
}
Another Note: For some reason if the session is cleared and the onsessionstart() handler is requested this set cookie stuff above will fail. There has to be a try catch block or exception handling of some sort added to account for a reload problem. The best thing is to upgrade to a patched up release of Coldfusion 10 (or soon to be released CF 11).
You can use the PageContext object to set cookies in cfscript:
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
For session cookies, there's an easier way.
Enabling server-wide HttpOnly session cookies
The ColdFusion 9.0.1 update added a server-wide setting to add the
httponly attribute to all session cookies created by ColdFusion (such
as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To
enable this setting, if you are running a JRun J2EE installation or
multi-server installation, you must edit jvm.config, otherwise you can
enable this setting from the CF Administrator. If you are running a
J2EE server other than JRun consult your documentation for an
appropriate setting. J2EE servers that support the Servlet 3.0
specification can specify
true
in the /WEB-INF/web.xml file.
http://www.adobe.com/devnet/coldfusion/articles/coldfusion-securing-apps.html
You can use this code in your application.cfc inside of the onsessionstart function.
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">
There is no way of setting this inside of cfscripts. cfcookie is not supported in script form in cf9. There are flags in the application settings added to CF10 to address this issue, however, CF11 will have full support for it inside of scripts. Unfortunately, I think you will have to forego the uniform code for functionality. Unless you have access to your CFIDE/Administrator. You can add a java argument to turn it on server wide. Add this to your JVM config
-Dcoldfusion.sessioncookie.httponly=true
All of this is detailed here http://www.petefreitag.com/item/764.cfm
Been trying to figure this out for an hour now and I'm stymied. Simple site that allows employees to register. Typically the employer has a company wide u/p for all employees to use to access the registration page, but client also wanted a way to give employee a link to auto-login to register.
Simple enough - created a page "r.cfm" that looks for URL.emid (encrypted employer ID) and URL.h (5 character hash as a check based on the decrypted employer ID). A full URL may look something like this:
https://www.domain.com/r.cfm?emid=22EBCA&h=F5DEA
r.cfm makes sure the correct URL vars are there, decrypts the emid, compares the check value and if all is correct sets some session vars as such:
<cflock scope="session" type="exclusive" timeout="10">
<cfset SESSION.LOGGEDIN = TRUE/>
<cfset SESSION.LOGIN.EMPLOYEE.COID = DecryptString(url.emid)/>
</cflock>
I think use CFHEADER 302 and CFHEADER location to send them onto the next page. Here's where it gets weird. On the next page I setup some test code to e-mail me a dump of the session.
If clicked directly in MS Word I get to the 2nd page (the one from the cfheader redirect - employeeRegister.cfm) and I get not one - but two e-mail dumps of the session. The first one shows logged in as true, but the 2nd one shows it as false with a different jsessionid.
If I take the exact same link, paste it into my browser, it works as expected - one e-mail with a session dump showing that session.logged in true.
There is nothing on employeeRegister.cfm that would initiate a page reload. It actually doesn't even check the session.logged in var until the following page. employeeRegister.cfm is simply terms and conditions and a submit button to go to the next page, which is where the session vars are read and checked. It is literally a div with text and then a form tag with accept / decline.
This is because the office product initially tries to act as the browser (to test for web authoring) instead of handing off control to the browser right away. By the time the browser gets control of the url a valid session doesn't exist because office isn't going to share cookies. Without a valid session cookie you end up getting logged out during subsequent redirects or navigation of the site in question.
These MS KB article should help you solve the problem.
http://support.microsoft.com/kb/899927 <- mostly
http://support.microsoft.com/kb/218153 <- more info about Office links