Testing ColdFusion Session Cookie Acceptance
Posted May 25, 2007 at 5:45 PM
Occassionally, you get random users who cannot seem to hold a session on one of your client sites. The cause of this, most often, is that that user cannot accept cookies either from any site or from the site in question. This is a hard problem to debug over the phone, so to help assuage the problem, I have created a ColdFusion page that tests to see if the user's ColdFusion session information is holding across page calls (which would indicate that their cookies are working as well).
The ColdFusion session testing template works by CFLocating back to itself several times and passing the current session's CFID and CFTOKEN values through the URL as an ID list. After several CFLocation tags, if the user's session is holding, every value in that list should be the same.
Launch code in new window » Download code as text file »
- <!--- Kill extra output. --->
- <cfsilent>
-
- <!---
- Param the URL id. This ID will contain a comma
- delimited list of the CFID / CFTOKEN values.
- --->
- <cfparam
- name="URL.id"
- type="string"
- default=""
- />
-
-
- <!---
- Check to see if the the ID list is less than 5.
- Technically, 2 values is all we really need to
- test the cookies, but I like to give it a few
- extra to see if something really weird is happening.
- --->
- <cfif (ListLen( URL.id ) LT 5)>
-
-
- <!---
- Append the currrent session information
- to the URL id list.
- --->
- <cfset URL.id = ListAppend(
- URL.id,
- "#SESSION.CFID#-#SESSION.CFTOKEN#"
- ) />
-
- <!---
- Relocate back to this page with the updated
- ID list.
- --->
- <cflocation
- url="#CGI.script_name#?id=#URL.id#"
- addtoken="false"
- />
-
- </cfif>
-
-
- <!---
- ASSERT: If we have gotten this far then we know
- that this page has been called 5 times and that
- we now have an ID list with 5 items containing
- this user's session information.
- --->
-
-
- <!---
- Break the ID list into an array for faster access
- and easier notation.
- --->
- <cfset arrID = ListToArray( URL.id ) />
-
- </cfsilent>
-
-
- <cfoutput>
-
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html>
- <head>
- <title>ColdFusion Session Cookie Test</title>
-
- <style type="text/css">
-
- p.confirm {
- background-color: ##F9FBFF ;
- border: 2px solid ##6699FF ;
- font-size: 28px ;
- padding: 20px 0px 20px 0px ;
- text-align: center ;
- }
-
- </style>
- </head>
- <body>
-
- <h2>
- ColdFusion Session Cookie Test
- </h2>
-
- <p>
- In order for you to be able to log into
- this site, you must have Cookies enabled in
- your browser. If cookies are enabled, the
- following 5 values will be identical:
- </p>
-
-
- <ol>
- <!--- Loop over values and output them. --->
- <cfloop
- index="intI"
- from="1"
- to="5"
- step="1">
-
- <li>
- #arrID[ intI ]#
- </li>
-
- </cfloop>
- </ol>
-
-
- <p class="confirm">
-
- <strong>Cookies Accepted:</strong>
-
-
- <!---
- We will know that the session cookie
- information held from request to request
- if all the values in the list are identical.
- Check each value against the next.
- --->
- #YesNoFormat(
- (arrID[ 1 ] EQ arrID[ 2 ]) AND
- (arrID[ 2 ] EQ arrID[ 3 ]) AND
- (arrID[ 3 ] EQ arrID[ 4 ]) AND
- (arrID[ 4 ] EQ arrID[ 5 ])
- )#
- </p>
-
- <p>
- If your cookies are not being accepted, please
- copy and paste the contents of this page into an
- email and send it to nikki@girls-like-girls.com.
- </p>
-
-
- <!---
- Output some browser related information that
- might help the tech team debug just what is
- going on.
- --->
-
- <h3>
- Browser Information
- </h3>
-
- <p>
- <strong>User Agent:</strong><br />
-
- #CGI.http_user_agent#
- </p>
-
- <p>
- <strong>Request Cookies:</strong><br />
-
- <!---
- When outputting the browser's cookie, just
- try to replace out references to CFIDE and
- ADMINISTRATOR (if they are there) so people
- don't get any funny ideas.
- --->
- #ToString( CGI.http_cookie ).ReplaceAll(
- "(?i)cfide|administrator|cfadmin",
- "temp"
- )#
- </p>
-
- </body>
- </html>
-
- </cfoutput>
Hitting the above ColdFusion template, my browser looks like this:
| | | | ||
| |  | | ||
| | | |
Notice that it outputs the CFID and CFTOKEN values. All 5 values should be the same if the SESSION scope was maintained and the cookies were accepted. I assume this will not work for all login set ups, but it will work for most of mine. Additionally, I am outputting the user agent information as well as the cookies that were broadcast by the requesting browser. I figured the more information that the user can email to the tech team, the better.
Now, you have probably seen cookie testing where someone just sets a cookie value using ColdFusion's CFCookie tag and then checks to see if that variable exists in the ColdFusion COOKIE scope. This is not acceptable. CFCookie will always be able to set the value on the first go (as far as I know). What we really need to test is the round-trip journey from the server back to the browser back to the server. This is the only true way to test cookie acceptance (as far as I can see).
Download Code Snippet ZIP File
Post Comment | Ask Ben | Permalink | Other Searches | Print Page
Newer Post
Using CFApplication Inside Of ColdFusion's Application.cfc
Older Post
Always Define Your ColdFusion Query Column Types
Reader Comments
Ben:
Thanks for the excellent writeup!
Amazing timing here as I have been having strange problems lately with some of my applications...
First, I *never* in the past used URLSessionFormat() when building URLs in my session based applications and they always seemed to "just work".
Now I have been doing a bit more CFLocation and other things to move users around between different CF Applications (different application names).
I am now seeing about 1% of my users seem to have problems where their browser will not maintain session correctly. I have it happening on one of my test boxes as well... The boxes have cookies enabled... Restarting, using a different browser Firefox/IE, cleaning all cookies, reinstalling the browsers, praying... nothing seems to fix the problem. I finally decided to "fix it" by modifying my code to use the URLSessionFormat function... That didn't solve my problem.
I am actually having to put the CFID and CFToken into the URLs and links and form submissions myself. It is the only way I have been able to maintain the session on these PCs.
Ever hear of that one? I have been banging my head against the wall for a few days here...
Of course...
I write all that down, and then check the CFQuickDocs link for URLSessionFormat, http://www.cfquickdocs.com/#URLSessionFormat, and I see that there is a comment from tommyviper that states "Using MX7 Ent. on IIS - disabling J2EE caused this function to ignore whether or not the client accepts cookies.".
I am on CFMX7 Standard and I have "Use J2EE session variables" turned off... Is that why the URLSessionFormat isn't working?
Sorry, I don't really know why I am asking you this exactly! lol
Thanks again for all you do for the community, Ben, and I hope you enjoy the 3 day weekend!
@Ken,
To be honest, I have never used ColdFusion's URLSessionFormat(). However, if you are throwing people from one application to another application, they are going to exist in different memory spaces; as a result, I am not sure how they would even hold session information.
Of course, I have never done that, so I could be totally off base there.
Also, I am not aware of the MX7 and IIS interaction, so any comments you get off of CFQuickDocs is going to be better than any I could give you.
Now you have me curious... I need to go play around with throwing people into different apps.
Ben:
I didn't explain that very well.
When I forward the user to a new application, I pass URL variables so that the next app can determine who the user is... usually just a hash of their userid (plus extra text), or using Encrypt/Decrypt...
So once the user gets to the new app, I can see that the first page does exactly what it is supposed to, but when they click a link, or submit a form, the session gets lost and I can absolutely veryify that the users do have cookies enabled.
It has been a nasty little pest...
@Ken,
That sounds like a sticky problem. I wish I had better advice to give you, but I do not.
Ben,
Thanks for this script. I'm using it to diagnose some problems I've been having with one of my websites.
In my case, cookies are written properly to the browser and the browser sends the cookies with the request (per IIS logs) but ColdFusion still can't read them. This results in no shopping cart, no sales, and bad rep.
This only happens intermittently but is a very big problem on such a low volume site as mine. I've detailed my problem on the CF Forums. If you have time, maybe you could take a look?
If not, no big deal. I appreciate the time you've taken with your blog. I've been using it as a CF resource for quite some time now.
Thanks!!!
-Sam
@Sam,
Your problem, and cookie problems in general are SO hard to debug especially when you can't duplicate the error in the development environment.
When you say the browser writes the cookies properly, and that ColdFusion is sending them properly, do the users pass the Cookie test page (outlined in this blog post)? Or are they still failing that one?
It's really weird. The site works for most people. The few users that have a problem get my "You must enable cookies to use the site." error message because ColdFusion can't see the cookies. They swear they have cookies enabled and have even sent me screen shots of the cookies in Firefox, IE, Safari, etc.
I've checked my IIS logs and, sure enough, when the user is redirected to my error page, I can see the proper cookies exist in the http request. That is, the cookies are getting to the webserver but not ColdFusion. I've had a couple of these users hit your cookie test page... The page fails but, again, the cookies exist in the user's browser and I can see the cookies in the IIS log file.
Ugh!
I'll keep plugging away and let you know what I find.
I have been "dealing" with this exact behavior for ages. You can pass cfid and cftoken on the url and even set cfid and cftoken in the cookie/session/client scopes on every page till you are blue in the face and for some users cf server simply does not use them and creates new session for every page request.
I have had users go through half an application and suddenly lose their session. From that point on no matter what they do (clear cach, cookies, etc) they will no longer be able to use the application.
In theory the server first checks the cookies and then the url scope for the id and token but even when I can display the passed values on the pages cf still creates new sessions. What gives? I have never found a solution but I know that it is a real problem for many. I have never had to deal with this on any other platform.
Anyone have more to say about this? Any new discoveries since October? We're considering making our ecommerce site available to users that choose to block cookies. I'd love to get any last minute advice before trying to code this. I'll post back here what I discover myself as well.
I've been dealing with the issue of cookie acceptance for awhile, and I haven't been able to come up with a really good solution. I've tested setting cookies on one page and then checking for the existence of them on another, and that works, but there are usability problems with that approach.
I really appreciate the ideas in this post. It offers a creative way to check if cookies are enabled in a browser. I am, however, having issues using this method with IE 7. It seems that IE 7 will keep the cfid and cftoken values the same for each iteration even when cookies are disabled.
Is there an update to this method that will work with IE 7? Is there another method for testing cookie acceptance?
@David,
If IE 7 keeps the same CFID / CFTOKEN values, then that should mean that it is maintaining the session? I am surprised that works if cookies are disabled. Maybe it still keeps "session cookies" which will be deleted when the browser closes.
Actually, what I'm finding is that IE 7 will keep the same CFID and CFTOKEN values but will not maintain the session. It's odd, I know. I will disable cookies in IE 7 and then run the code you have here and it will tell me that cookies are enabled and will show the CFID/CFTOKEN values to all be the same. But then when I try logging in on my Web site, the site will not maintain a session.
My browser is set to block all cookies, and I've looked in the Temporary Internet Files folder and the Cookies folder on my C: drive, and I don't see any cookies anywhere (although I'm not sure where to look for "session cookies").
Any ideas?
Thanks,
David
I'm sorry, I forgot to post an update to my situation (glad I subscribed to the comments here).
In my case, it turned out ColdFusion was doing exactly what it was supposed to do (Ben's script confirmed this).
The webserver was setup to host two different domains, a .com and a .co.uk. Both domains pointed to the same webroot and shared the same IIS log. It turned out that there was a JavaScript redirect during the checkout process that we didn't catch. (We inherited this app and don't use Javascript redirects so didn't think to look for it.) The .co.uk user was redirected to the .com address and the CFID/CFTOKEN values were not passed so the session was lost.
Because both domains used one IIS website, there was only one logfile and the the log didn't indicate which domain was used.
Very frustrating but I'm glad it was a coding problem and not related to browsers and/or ColdFusion.
Thanks again Ben for this great resource. Keep up the good work.
-Sam
@Sam,
Glad you got it figured out :)
I also having the same "session lost" issue on one of my project. When an user login, couple of session variables are set and then user is redirected to his profile page. This works perfectly for most of the users but fails for some minor users. CF just creates a new session (a new cfid & cftoken) when user arrives his profile page rather than using the existing one.
I don't think my problem is due to cookie being turned off as it happened once on our development box and we never able to recreate it since then. I have never have this problem with my other projects during my 5 years of CF development life.
I then found this Adboe article:
http://kb2.adobe.com/cps/181/tn_18171.html
Basically it says setting session variables while doing cflocation may results in cookie not properly set. I tried using client redirection after user login to send him to his profile page but still have no luck.
@Tomy,
I believe that the cookie / CFLocation issue was in older versions of ColdFusion. I am pretty sure that as of MX (at least 7) this has been fixed. As such, I am pretty sure that is not the issue.
Can you get a given user to replicate this issue? Or does it happen completely sporadically?
I feel everyone's pain.
In my case for an extremely small number of users session state is lost during a https post to the same page. This occurs well after the user is logged in on https, and only when posting to the same page. No tricky redirects here.
It was impossible to debug until it happened to client of mine. I went thru all the usual environment testing with him to no avail. Then I had him disable his anti-virus software and problem solved. Of course his anti-virus software was actually a suite of software with all its "I'm going to protect you from yourself" applications.
I had him change anti-virus companies and he's never had another experience of that issue. Of course you can't expect users to do that, nor would you want the liability.
My solution? In this case I don't worry about it. I figure as diverse as user environments are I can't expect 100% usability. I'll settle for 99.9%.
Kinda reminds me of the problem I experienced with users stepping on each others sessions, which I finally tracked down to their network switch not maintaining sessions properly, but that's another story.
@Phil,
Yeah, I've heard of anti-virus apps causing problems. Sometimes they just go overboard. In that case, I think some times adding the site to the "trusted sites" in internet options helps fix it.
I have a weird issue where just a couple of users can't seem to read cookies. Session is maintained fine, so cfid/cftoken are working. But I set another cookie to note that certain files have been installed on the particular computer. On just a couple of computers, strangely it's mine and another developer's, cf can't seem to read additional cookies that are set. I can look in the cookies directory and see the cookie values are there, but for whatever reason cfmx7 isn't reading them. I dumped the cookie scope at the end of the page and cfid/cftoken show, but that's it.
Any idea what could be causing cfmx7 to not be able to read a client's cookies? Especially on a developer's machine?
Thanks!
Ken
@Ken,
On the computers that are able to reproduce this behavior, does it work the same on the different browsers (ex. IE and FireFox). If not, if one works and the other doesn't then it maybe at the browser level.
I recently had a problem in which some code was accidentally switching domains after a particular action - adding the "www":
somedomain.com
... to:
www.somedomain.com
This worked fine in FireFox because it sent Only the appropriate cookies; however in IE, both the non-www AND the www subdomain cookies were being sent (an error in IE's cookie functionality as far as I could figure out).
Not saying that's your problem - just that you should check cross-browser to see if the various browsers all reproduce the problem.
Good thought, it is browser specific. However there is no "www" in this case or anything like that. It is an internal domain so it is just http://applicationname/index.cfm. Furthermore I am looking at the cookies in the cookies directory and it is listed as "userid@applicationName[1].txt". The [1] seems to be fairly normal behavior because I see it for a lot of cookies in the directory.
Presumably developers have more updated versions of IE and that is why this is occurring for us only, that is what I presume without real evidence. So when everyone gets upgraded my life will become hell until I figure out the issue. Either that or it has something to do with us having IIS (for .NET development) and other such no-no's installed locally.
Well, if you have any more ideas they'd be greatly appreciated. I'll continue to pursue it from a browser level.
Have a good one..
Ken
Ken, a while back I had a cookie issue that was giving me fits and seemed to be localized to my development machine. I can't remember the details but I finally figured out is was specific to IE and was occurring when debugging was enabled. In this case I was using IP specific debugging.
I never did figure out why it was happening, but now every time I have strange behavior coming from IE I turn off debugging to see if the problem goes away.
Just a thought.
No dice, thanks though.
@Ken,
Sorry, I don't have any more ideas. The only other thing I can think of is that the cookie is being set twice with slightly different settings that, for one reason or another, are not being seen as the same cookie (which is causing double posting)... other than that, I got nothing.
No problem buddy, hope I can return the favor and help you with some BI stuff someday.
Fair thee well!
