View Full Version : User is timing out early when in mutilple applications

03-10-2009, 12:13 AM
Greetings All!
This is the first time I am posting a message, so please bear with me.
I have a rather strange question. In one application we have defined a session variable (used to determine if a user has timed out). In a separate application the same cflock and session name is used. A user has logged into both applications at the same time. When they logoff of one application a few minutes later the person is kicked out of the second one due to being timed out (but they were only in that application for a few minutes, and the session variable is defined to time out after 30 minutes). Is this due to the cflock and or session variable having the same name with the same person, and being on the same CF server?
Can I avoid this by simply giving unique cflock names or do I have to give unique session variable names as well (in each application) ?
Thank You!

03-10-2009, 09:14 AM
It doesn't have anything to do with your locks, or what you're naming them. I think you're misunderstanding the concepts here, so I shall explain :)

Basically, you have a session "scope," and any variables that you put into it are tied to the current user that is navigating your site (i.e. running that .cfm page). However, every user has their own session scope variables. But, even though every user has their own session scope variables, your cfm pages still reference every user's session scope variables in the exact same way (using session.variableName).

For example: Using a line like <cfoutput>#session.username#</cfoutput> in a .cfm page will output the username of the current user that is running that page (assuming that session.username was set when they logged in). When another user comes to the exact same .cfm page and your system executes the exact same code (<cfoutput>#session.username#</cfoutput>), the second user's username will appear on the page.

That being said, a lock is simply to synchronize access to session variables so that multiple cfm files are not reading or writing to them at the same time (which can cause some unwanted results if they do). Reading/writing a session variable inside a named lock does not mean you're getting different session variables just because the lock name is different. In fact, you shouldn't even use a named lock to read/write session variables, you should use a scoped lock. For example, this would be the correct way to set the session variable "firstname" from a form submission:

<cflock scope="session" type="exclusive" timeout="10">
<cfset session.firstname = form.firstname>
And another example, this would be the correct way to read a session variable into a local (page) variable, and then display it:

<cflock scope="session" type="readonly" timeout="10">
<cfset user_first_name = session.firstname>
Anytime you set session variables, you should use an exclusive lock, and anytime you read session variables, you should use a readonly lock.

To get back to your question, the answer depends on if your applications are named differently or not. If you have an application.cfm file in application #1 that has <cfapplication name="app1" ... >, and an application.cfm file in application #2 that has <cfapplication name="app2" ... >, then the session variables for the same user are actually different under each application.

This means, for a given user: In application #1, session.loggedIn could be set to true, but at the same time on application #2, session.loggedIn could be set to false. These variables are separate for the different applications and therefore they hold different values, even though they are referenced the exact same way by session.loggedIn. So, if the session timeout is set to 30 minutes, a user using application #1 could possibly be timed out of application #2 if they don't use application #2 within 30 minutes of their last use of it.

However, if both applications have the same application name (ex: "app"), then the session scope is shared between them. Therefore, if session.loggedIn is true initially, setting session.loggedIn to false on application #1 means that when when application #2 reads it, it will be false there as well.

I hope this explanation has helped you understand this concept better and has also answered your question. However, if it hasn't, post again and try to be as descriptive and specific as possible, and let me know if your application name's are the same or different.

Happy coding!

03-13-2009, 11:59 PM
Thank You Gjslick for taking the time to explain everything in such detail, I know that it took a lot of time and I very much appreciate it!
This is very interesting. It appears that the two applications have two completely different application names
The one:
<cfapplication name="Budget" setclientcookies="yes" clientmanagement="yes" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0,0,30,0)#">

and the other
<cfapplication name="planning" setclientcookies="yes" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0,0,30,0)#">

The session variables are defined as

For Budget:
<!--- Set session.LoggedIn to true, logging the user in --->
<cflock name="sLogin_Lock" timeout="30" type="Exclusive">
<cfset session.LoggedIn = true>

For planning:
<!--- Set session.LoggedIn to true, logging the user in --->
<cflock name="sLogin_Lock" timeout="30" type="Exclusive">
<cfset session.LoggedIn = true>

If there is any more detail information I would gladly provide it!

Thank You again for your assistance!

03-15-2009, 10:05 PM
Ok, if your application names are different, then each application has a different set of session variables for the same user. So again, the user could have session.loggedIn set to true for application #1, and session.loggedIn set to false for application #2 (at the same time).

Also, if a user was logged in to both applications, but then was only using application #1 for 30 minutes, they would be logged out of application #2 because of their inactivity in that application. To keep a session alive, page requests must be made inside that application (i.e. a file inside application #2's folder must be accessed to "reset" that 30 minute countdown to session timeout).

How does your application work though? When someone logs in, do they get logged in to both applications somehow? My recommendation is to name both applications with the same name so that session variables are shared between them, and then activity in either one of the applications will keep the user logged in to both of them. (Unless your applications are in fact two distinctly separate applications, each with a separate log-in screen.)

It seems to me though that you have a web application where "Budget" and "Planning" are really sub-applications of that main application. So what you could do (and what I do on my webserver) is just have an application.cfm file in your root directory that specifies the application name and session timeout. Then, all folders that exist under that root directory do not need a separate application.cfm file, as they will use the application.cfm file in the root directory. This way, session variables will be shared between all sub-applications, and there will be no problem of a user getting timed out of different sub applications.

As far as your locks are concerned though, you want to lock the session scope rather than using a named lock (<cflock scope="session"> instead of <cflock name="sLogin_lock">). Named locks are global throughout the server, so if code is executing in one named lock, your server will block code from executing elsewhere in locks with the same name (hence slowing your server down when multiple users are trying to use it). Here's a good article about best practices with locking. It's a little old (came out for CF version 5), but the concepts are still the same. Just skip over the 3 sections of "Single Threaded Sessions", "Automatic Read Locking", and "Full Checking", as I believe those are no longer valid in the ColdFusion Administrator. http://www.adobe.com/devnet/server_archive/articles/cf_locking_best_practices.html

Hope that helps, but let me know if you're still confused!


03-20-2009, 06:09 PM
Sooooorry for the Delay in my response, but I was trying out different things!

It appears that the problem is somehow related to Internet Explorer (both 6 & 7), The user (IE 6) had separate windows open for each of the applications. When he switched between applications (windows) he would be timed out of them. I was able to duplicate the problem on test (IE 7) with the same results. I then tried using Firefox and opened separate windows there for each of the applications and in amazement it worked fine (no time outs). I tried that same thing in IE but using tabs instead and again it worked fine! I'm still not sure why using separate windows causes the session variables to time out (be deleted), but now at least the user is functioning again.

Thank You Again Greg for your Assistance and wealth of knowledge!

Note! I did make the CFlock change to sessions as you suggested.

Thank You again!