2
votes

I am running Lucee 5.1.3.18/Tomcat/centOS/mySql (3 physical,6 virtual) and I am having erratic session loss. I have looked through and verified it isn't bad code doing this. The situation is a user adds items to a cart (all items are joined on the session_id). They fill out the payment information, credit card etc... on a checkout page. Generally if you wait 3 to 5 minutes and submit to the review it throws an error not seeing these items (session_id changed). The time frame varies but it is usually around 5 minutes.

This happens when I have Lucee admin set up to use my datasource and store session info in the DB.

application.cfc:

<cfset THIS.Name = "sessionName" />
<cfset THIS.SessionManagement = true />
<cfset THIS.ClientManagement = true />
<cfset THIS.ApplicationTimeout = CreateTimeSpan(0,12,0,0) />
<cfset THIS.SessionTimeout = CreateTimeSpan(0,4,0,0) />
<cfset THIS.SetClientCookies = true />
<cfset THIS.SetDomainCookies = false />
<cfset THIS.ScriptProtect = true />
 <cfset THIS.sessionType = "jee">
<cfset THIS.sessionStorage = "myDatasource">
<cfset THIS.sessionCluster = true>

Changing

<cfset THIS.sessionType = "jee">

to cfml, also has the same problem (tried EHcache to w/ no success).

If I switch to use "Memory" and eliminate DB, I have the issue still however much less. Using "Memory" also makes the heap swell and eventually the servers lock up.

The logs don't show anything helpful, but I have been seeing broken pipe errors from time to time and db connection loss also. I account that to the server locking up though.

I'm not trying to ask an open ended question but do you have any advice on likely issues you have encountered. Is there obscure Lucee specific settings that I may have overlooked? Any help is appreciate.

Thanks, Henry

1
Update: Okay so I have figured out the server meltdown. it was apparently a DDoS attack coming from some shady company out of Dallas. I made some firewall adjustments and my servers are no longer melting down. I am now monitoring to see if the session loss goes away. My thought is possibly the servers under stress were just releasing random memory. - Henry
The session loss is still occurring unfortunately. - Henry
Probably not going to help but i thought i'd point out your THIS.sessionType should be "j2ee" according to the cfapplication docs so possibly it would have been still been using whatever the default is in lucee server/web admin - Snipzwolf
does your previous session id still exists in the db after your session id changed? i'm not familiar with what gets stored in the db but possibly check the session expiration date if it's in there too (thinking maybe your this.SessionTimeout value is being overriden/ignored) - Snipzwolf
That's odd it says j2ee in the docs but jee in Lucee administrator... I have abandoned trying to get this up using the db session management. It is much worse when I try to go that road, and honestly it was the first time I tried to implement it. - Henry

1 Answers

0
votes

You could take a look to see if you can find either of these calls below in your code somewhere as maybe they are ending your sessions early.

sessionInvalidate would kill of the session (i'm not too sure if it's immediate or after the request that called it has finished) and the setMaxInactiveInterval call overrides the session timeout used in the application.cfc.

<cfscript>          
    getPageContext().getSession().setMaxInactiveInterval(javaCast("int", 60));
    sessionInvalidate();
</cfscript>