Two or three weeks ago, I posted a call for help on the CFCDev mailing list regarding this strange problem I was having regarding sessions. I forget exactly how I described the issue, and I'm too lazy to look it up, so I'll just describe it again (and I'm sure now that I've solved it, this description will be much better than the first one):
Basically, when I posted a form in Adobe ColdFusion 6.1 whose action performed a
cflocation with the
cgi.query_string appended to the URL, and when links also appended that variable, all the sudden my session would become invalidated. I checked every reference to
session. and couldn't find anywhere it would be happening in my code. I couldn't even tell exactly
when it was happening even though I put markers in every place I could think of. But finally today I happened to look up at the URL and notice that
CFID and
CFTOKEN were there multiple times. Clearly that was the problem. After that, I was pretty sure the where the problem lied, so I went straight to it and fixed it.
This was never a problem in CF7, that I have been able to reproduce.
If you'd like to reproduce it in CF6.1, here is some simple code to do so:
Application.cfm
<cfapplication name="test_session_funkiness" sessionmanagement="true">
<cfparam name="session.id" default="0">
<cfif session.id is 0>
<cfset session.id=1>
The session.id was 0.
</cfif>
start.cfm
<cfoutput><a href="middle.cfm?#cgi.query_string#">go to the middle</a></cfoutput>
middle.cfm
<cflocation url="end.cfm?#cgi.query_string#">
end.cfm
we are at the end.
<cfoutput><a href="start.cfm?#cgi.query_string#">do it one more time</a></cfoutput>
If you set those files up and navigate to start.cfm, you'll see that "the session.id was 0." is output in places you wouldn't expect.
I understand the cause, but I would have expected CF to behave as it does in 7, since (I'm guessing that) appending
cgi.query_string to your URL would be fairly common practice. And, as a side note, I'm fairly sure I've run into this before - only I had just forgotten (it seeeeemed familiar). That's why I wrote it down this time (and to help anyone who may also have had the problem).
Hey! Why don't you make your life easier and subscribe to the full post
or short blurb RSS feed? I'm so confident you'll love my smelly pasta plate
wisdom that I'm offering a no-strings-attached, lifetime money back guarantee!
Leave a comment
Hi Sam,
the problem is that with <cflocation> the addtoken attribute HAD the default value of "yes". So unless you specified addtoken="no", CF would always append the session identifier to the URL.
I guess that was changed with CF MX 7, although it is not listed as changed in the CF Livedocs. Apparently MM changed quite a bit about this tag without telling anybody. ;-)
Chris
Posted by Christoph Schmitz
on Mar 14, 2007 at 02:55 AM UTC - 5 hrs
Haha thanks for pointing that out Chris! I had completely forgot about the addtoken attribute.
/me slaps his forehead
Posted by
Sam
on Mar 14, 2007 at 07:39 AM UTC - 5 hrs
