CFApplication "update" action overwrites clustered session data

Description

Summary of issue:

Let's say you have two servers in a clustered environment that are using session storage and session clustering. We've discovered an issue when the "update" action is called on the <cfapplication> tag. That call appears to write session data to the session storage without first reading the latest data from the storage. This results in lost data if the previous server had written new data to the storage.

Recreate the issue:

Here are some steps for recreating the issue. I've also provided a test Application.cfc and CFM file.

  1. Setup Lucee with clustered sessions on at least two servers

  2. Round-robin requests between the two servers

  3. Set the application values for session management and session clustering

  4. Define a datasource for session storage (we use MSSQL)

  5. Write data to the session from one server

  6. Call application action="update" on the other server

  7. Read the session and note old data

We ran into this issue using ColdBox, which updates the application when copying over CFmappings from ColdBox modules. See the code for RailoMappingHelper.cfc.

Workarounds

We've uncovered a couple of workarounds. If you can force a read of any of the session values before calling the application update, then (usually) the correct session values get saved into the session storage. I say "usually" because testing has shown both of these techniques to be dramatically more accurate but still not 100% dependable.

You can param a session variable:
param name='session.wasLucee2' default=false;

You can assign the session to a temp variable:
local.sessionTemp = session;

Environment

None

Attachments

2

Activity

Luis Majano 2 November 2019 at 13:12

I am commenting in order to bring this ticket to action again. This is basically biting every single ColdBox application.

Duplicate

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Affects versions

Created 23 May 2016 at 18:19
Updated 27 February 2023 at 21:09
Resolved 28 August 2020 at 12:31