All Session Variables are removed - session

We are having a problem with regards to All Session Variables being deleted at random times.
This happens without calling Session.Abort(); or Session.Clear(); IIS is also not recycled and NO App_Code, Bin, Global.asax or Web.config changes are made when this happens. We have enabled logs on iis to confirm app pool is not being recycled. IIS is also set to recycle once a day in the morning and no limits are set on iis to force recycle
This happens very randomly and not able to reproduce at all. We use Formsauthentication, but the site determines if it should be redirected back to the login page by looking if 2 critical session variables exists(sometimes the sessions are cleared even while authenticated aswell. We use default In-Proc session State.
We have tried response.redirect(...,false) when setting variables without any luck. This happens on a single server.
We are somehow running a web farm(Login screen handles the load and redirects to a server, but user stays on that server, until he logs out).
Any help in the correct direction will be appreciated!

Related

Coldfusion 2018 clustering and session replication not working

Setting up a couple new Coldfusion 2018 servers and will be using clustering for the first time and have run into some problems.
I am having trouble with session replication. Basically, session variables appear to be replicated between nodes in a cluster but are killed after a short while at random.
A little setup info:
2 web servers (Windows Server 2012) behind load balancers
On each web server sits a Coldfusion cluster consisting of 2 local instances (still unclear if this is useful or not - will ask in separate question) and 2 remote instances (the remotes reference the local instances of each opposite server)
For simplicity, currently just testing on a single server with local Coldfusion instances - leaving the remotes out of the equation until I can get things working reliably locally
Using J2EE session variables
Coldfusion session timeout set to 2 hours
In each Coldfusion instance, channelSendOptions is set to "6"
Here is what I did/experienced:
We have a web application that requires login and stores user information in the session upon login.
I made a small modification to the web app to show me which cluster instance has serviced my current request.
After setting up the cluster, I started the web application and logged in, noting the instance which displayed the login page.
Upon logging in, I was immediately returned to the login screen (app checks for user info in session and redirects to login if not found)
Debugging revealed that I was actually being logged in but after redirecting to some new page after login the user info would be gone from session.
Multiple login attempts in a row (same credentials, just tried over and over again and again) revealed that sometimes login would proceed just fine and I would get into the app. However, if I refreshed the page or went to another page, the session would be lost very soon but at random (within a few page refreshes).
In an attempt to simplify the problem to try and figure out what is going on, I created a simple .cfm that bypasses all the login stuff and does one thing: adds a simple string value to session and then dumps the session and instance name.
** I ran the script once, noted which instance was being used and that session contained my value.
** I then edited the script so it no longer set the session value.
** I then hit refresh over and over so I could confirm:
That requests were being serviced by both instances in cluster
That as I flip-flopped between instances, the session value was available all the time.
Again, the replication would work and for several refreshes I could see my session variable available on each instance...until it wasn't. After a random number of refreshes/seconds (between 2 - 10 refreshes say) the value would disappear.
I am at a loss to explain why this is happening. We considered using Redis as a session store to see if it helped but frankly, our team has no experience with it, it is clunky to get working in Windows and we really don't want any more moving pieces in our infrastructure if we can help it.
Any insight on what is occurring as well as advice for how to peer behind the scenes as it were and see what is going on with session replication would be greatly appreciated.
Thanks
Adding some code and screenshots. The screenshots show the state of session after each page refresh and which instance is currently serving the page. The last two images represent refreshes 11 and 13 - the session variable was lost in 11 and I went to 13 so that we can see that the variable was lost on the other instance as well. Also a couple pictures of cluster/session setup.
Following is the simple test script. The first line is un-commented on first run to create the session variable and commented out for each subsequent run.
<!--- <cfset Session.svar="cake!"> --->
<cfdump var="#Session#" />
<cfscript>
hostaddress = createObject("java", "java.net.InetAddress").localhost.getHostAddress();
</cfscript>
<cfoutput>
<h3>
Instance: #createobject("component","CFIDE.adminapi.runtime").getinstancename()#
</h3>
</cfoutput>

Sessions dropped intermittently in ColdFusion/IIS

Several times per day (though we cannot reproduce it ourselves), we're seeing instances of sessions being dropped.
What I mean is I have logs of the user coming to the site, performing a few requests, and then having each of their next few requests get a different session identifier and thus wiping out everything in their session. Same IP, same browser, and all of this happens in the course of a couple seconds. The session timeout is configured to 20 minutes.
It doesn't appear to be related to a specific browser, as users have claimed coworkers don't experience the issue on the same machine.
What's really bizarre is that for some requests I can clearly see one session ID coming in through CGI.HTTP_COOKIE and another one is assigned during the course of the request (by the time we get an error email, which is caused by their lack of session). WTF?
To my knowledge, nothing in our application code could be causing this. We use session variables of course, but don't wipe or reset the session ID cookies. I was under the impression that's completely handled by the server.
I'm ripping my hair out here. Any ideas on even how to go about debugging this would be appreciated.

When MVC3 application Keep idle it redirect to Home page

I have implemented application in MVC3 with razor, it working absolutely fine in my development server, after deploying it on serve(Use IIS7 with windows2008) if site keeps idle for 10 to 15 minutes, after that clicking on any link it redirect to Home Page.
I have also set Session timeout on server.
please let me know how i can resolve this issue. Is this Session issue?
First, set the machineKey in your web.config -- see http://aspnetresources.com/tools/machineKey for a generator. This may solve your issue straight up.
If this doesn't resolve the issue, the cause could be several things. Your application could be being unloaded by IIS due to inactivity, or recycled due to excessive memory usage. Both these would terminate all sessions. Another possibility is your authenticated session has expired, if you are authorizing users.
This idle period can be extended through IIS, if necessary. In IIS configuration manager, locate the Application Pool your application is in, right click it and choose 'Advanced Settings' then alter 'Idle Time-out (minutes)'. Note that the default is 20 minutes, more than you are experiencing.
Verify it is not recycling due to excessive memory usage by watching the w3p process in Task Manager. If you see your instance growing large, then disappearing, this is likely the cause.
Last possibly is if you are using Forms authentication and the ticket has expired, your web.config file may be directing people to home page.

Form Authentication Ticket null issue in MVC3

what could the cause behind dropping of authentication cookie (.ASPXAUTH) intermittently in an MVC3 app?
I checked the size of cookie which seems to be around 2kB.
It flows without any issues during login and performing few actions in site. but after performing one specific action (where I am returning a pdf file from server and cookie in untouched there) it drops for a very few users.
Could there be any other reason behind user being logged out of system after certain action?
I just have got info that cookie can be dropped if your applcation is being recycled by the server. There are three conditions that would cause your application pool to be recycled by the server. 1. Over CPU usage. 2. Over memory usage. 3. No http calls for 20 minutes.

ColdFusion Session issue - multiple users behind one proxy IP -- cftoken and cfid seems to be shared

I have an application that uses coldfusion's session management (instead of the J2EE) session management.
We have one client, who has recently switched their company's traffic to us to come viaa proxy server in their network.
So, to our Coldfusion server, it appears that all traffic is coming from this one IP Address, for all of the accounts of this one company..
Of the session variables, Part 1 is kept in a cflock, and Part 2 is kept in editable session variables. I may be misundestanding, but we have done it this way as we modify some values as needed throughout the application's usage.
We are now running into an issue of this client having their session variables mixed up (?). We have one case where we set a timestamp.. and when it comes time to look it up, it's empty. From the looks of it this is happening because of another user on the same token.
My initial thoughts are to look into modifying our existing session management to somehow generate a unique cftoken/cfid, or to start using jsession_ID, if this solves the problem at all.
I have done some basic research on this issue and couldn't find anything similar, so I thought I'd ask here.
Thanks!
I've run into similar problems on and off for years.
JSession cookies seem to help (no hard data on that) but one solution that I've implemented repoeatedly is using no-cache and cache expiry headers on every page.
http://www.bpurcell.org/blog/index.cfm?entry=1075&mode=entry gives some specifics on how to implement this.
In extreme cases, we've been forced to pass the token and cfid in the links/forms, but that is a PITA to implement, so I'd try the cache expiry/prevention soluiton first.
As far as I know, there are no "cons" in using J2EE session variables, unless you really need session to be active after user closes the browser. I think you should try and see how application behaves with it and see if that saves you trouble of refactoring.
To be sure that you are using all other settings try this:
<cfdump var="#APPLICATION.GetApplicationSettings()#" label="Application settings" />
If you have sessionmanagement and client cookies turned on, everything is fine, so try j2ee session variables.

Resources