Lucee sessions are set with NO timeout when using an empty onSessionStart()

Description

If you are using a cache provider for sessions in a cluster and an empty onSessionStart() method in Application.cfc, Lucee is storing the session in the cache with an eternal timeout or no timeout. I have confirmed this behavior with using our Redis extension. The timeouts in redis come in as -1.

However, we downgraded to Lucee 5.2.x and the issue disappeared. So somewhere between 5.3 this bug was introduced.

Steps to recreate

In your Application.cfc have something similar to what is shown below:

Notice that the onSessionStart() is empty. Then create a standalone page with NO session interaction:

If you hit this page then you will get an entry in redis with a -1 TTL

Scenarios that produce the TTL as -1

  • If you set ANY session variable within the life-cycle, then it sets the right timeout.

  • If you set ANY session variable in the onSessionStart() it sets the right timeout.

  • If you USE any session variables in the life cycle, then it sets the right timeout

  • If you USE any session variable in the onSessionStart() it sets the right timeout

However, if the onSessionStart() is empty an NO session vars are set, then the timeout goes to eternal and you can potentially fill up the caches with eternal sessions.

Another scenario that produces a -1 is if you set ANY session variables in the life-cycle and you run an sessionInvalidate() at the end of the request. This also creates an enternal entry in the cache with a -1 TTL.

Environment

None

Assignee

Unassigned

Reporter

Luis Majano

Priority

Blocker

Labels

Fix versions

Sprint

None

Affects versions

Configure