Every now and then, in very rare, seemingly random ways, I'll get funky SESSION errors in my ColdFusion applications. Generally, I'll get an email (I email myself errors) that says something like:
Element USER is undefined in SESSION.
This error will be in some part of the application that the user could not possibly have gotten to had they not already been logged in and clicking around. Meaning, there is no way that the SESSION object would not have been fully initialized at that point in the code.
I have never been able to debug this problem. In fact, I've never even been able to duplicate the error after I see it come in. Last night, however, I was thinking about session management and it suddenly occurred to me that I am not exactly sure what happens if something in the OnSessionStart() event handler fails. Meaning, if the OnSessionStart() event handler throws an error, does the session get created?
To test this, I set up a simple Application.cfc component with a faulty OnSessionStart() event handler:
<cfcomponent output="false" hint="I define application settings and event handlers."> <!--- Define application settings. ---> <cfset THIS.Name = "SessionTest" /> <cfset THIS.ApplicationTimeout = CreateTimeSpan( 0, 0, 5, 0 ) /> <cfset THIS.SessionManagement = true /> <cfset THIS.SessionTimeout = CreateTimeSpan( 0, 0, 0, 20 ) /> <cffunction name="OnSessionStart" access="public" returntype="void" output="false" hint="I fire when a new session begins."> <!--- FORCE FAILURE AFTERWARDS. ---> <cfset SESSION.Foo = Bar /> <!--- Set up session variables. ---> <cfset SESSION.LoggedIn = false /> <cfset SESSION.ID = 0 /> <cfset SESSION.Name = "Guest" /> <!--- Return out. ---> <cfreturn /> </cffunction> <cffunction name="OnRequestStart" access="public" returntype="boolean" output="false" hint="I fire when a new request begins."> <!--- Check to see if the user is logged in. ---> <cfif NOT SESSION.LoggedIn> <!--- ... do something ... ---> </cfif> <!--- Return out. ---> <cfreturn true /> </cffunction> </cfcomponent>
As you can see, the very first line in the OnSessionStart() event handler makes reference to an undefined variable, Bar. This will prevent the SESSION scope from being fully initialized, which may or may not cause problems for the OnRequestStart() event handler which makes direct use of expected session variables.
When I run the above code, I get the following error:
Variable BAR is undefined.
This is to be expected. However, when I run the page a second time, I get this error:
Element LOGGEDIN is undefined in SESSION.
Now, the execution code has been able to progress down to a point where theoretically, the SESSION scope should have been fully initialized. So, the take away here is that the SESSION scope gets created before the OnSessionStart() is called. This makes sense if you pause for a moment - if the SESSION scope weren't created yet, we wouldn't be able to initialize it in the OnSessionStart() event handler. The byproduct of this, as we are seeing though, is that even if the OnSessionStart() event handler fails, subsequent page requests by the same user will skip the OnSessionStart() method as the session has technically already started.
I am not sure that this is the problem that I am running into as it is not an error that I have ever been able to duplicate; but, at least this gives me *some* direction to look in the next time it happens.
Want to use code from this post? Check out the license.