CFApplication "update" action overwrites clustered session data

Summary of issue:

Let's say you have two servers in a clustered environment that are using session storage and session clustering. We've discovered an issue when the "update" action is called on the <cfapplication> tag. That call appears to write session data to the session storage without first reading the latest data from the storage. This results in lost data if the previous server had written new data to the storage.

Recreate the issue:

Here are some steps for recreating the issue. I've also provided a test Application.cfc and CFM file.

1. Setup Lucee with clustered sessions on at least two servers

2. Round-robin requests between the two servers

3. Set the application values for session management and session clustering

4. Define a datasource for session storage (we use MSSQL)

5. Write data to the session from one server

6. Call application action="update" on the other server

7. Read the session and note old data

We ran into this issue using ColdBox, which updates the application when copying over CFmappings from ColdBox modules. See the code for RailoMappingHelper.cfc.

Workarounds

We've uncovered a couple of workarounds. If you can force a read of any of the session values before calling the application update, then (usually) the correct session values get saved into the session storage. I say "usually" because testing has shown both of these techniques to be dramatically more accurate but still not 100% dependable.

You can param a session variable:
param name='session.wasLucee2' default=false;

You can assign the session to a temp variable:
local.sessionTemp = session;