views:

213

answers:

2

Hi Everyone,

I have an application that uses coldfusion's session management (instead of the J2EE) session management.

We have one client, who has recently switched their company's traffic to us to come viaa proxy server in their network.

So, to our Coldfusion server, it appears that all traffic is coming from this one IP Address, for all of the accounts of this one company..

Of the session variables, Part 1 is kept in a cflock, and Part 2 is kept in editable session variables. I may be misundestanding, but we have done it this way as we modify some values as needed throughout the application's usage.

We are now running into an issue of this client having their session variables mixed up (?). We have one case where we set a timestamp.. and when it comes time to look it up, it's empty. From the looks of it this is happening because of another user on the same token.

My initial thoughts are to look into modifying our existing session management to somehow generate a unique cftoken/cfid, or to start using jsession_ID, if this solves the problem at all.

I have done some basic research on this issue and couldn't find anything similar, so I thought I'd ask here.

Thanks!

+2  A: 

As far as I know, there are no "cons" in using J2EE session variables, unless you really need session to be active after user closes the browser. I think you should try and see how application behaves with it and see if that saves you trouble of refactoring.

To be sure that you are using all other settings try this:

<cfdump var="#APPLICATION.GetApplicationSettings()#" label="Application settings" />

If you have sessionmanagement and client cookies turned on, everything is fine, so try j2ee session variables.

zarko.susnjar
I see now almost the same answer :) http://stackoverflow.com/questions/1984627/disadvantages-of-j2ee-session-management-in-coldfusion/1985449#1985449
zarko.susnjar
Thanks Zarko. I'll try that out after the option to force no-cache.
Smooth Operator
+2  A: 

I've run into similar problems on and off for years.

JSession cookies seem to help (no hard data on that) but one solution that I've implemented repoeatedly is using no-cache and cache expiry headers on every page.

http://www.bpurcell.org/blog/index.cfm?entry=1075&amp;mode=entry gives some specifics on how to implement this.

In extreme cases, we've been forced to pass the token and cfid in the links/forms, but that is a PITA to implement, so I'd try the cache expiry/prevention soluiton first.

Ben Doom
My experience is similar.
Al Everett
no-cache and cache expiry headers might be teh way to go on the respective pages.
Smooth Operator
I am going to pick this as the correct answer for the time being.
Smooth Operator
@Smoth -- You can add most of them to your application.cfm/application.cfc file to always fire. If you're using a header file, you can put the meta tag there. No need to edit individual pages.
Ben Doom