Hello,
I have recently started getting a lot of errors that say “Session is invalid null” on one of my sites.
The site is running CF8. We recently upgraded Java to Java 1.6.0_24. However, the errors did not start happening until weeks after we installed this, so I’m not necessarily connecting this to the issue. It may be simply because the site has been very busy, I’m not sure (because I also started seeing the issue on the development server, same machine, which is not busy).
The server is using J2EE sessions. I haven’t made any changes to code that should have this affect. The site is old however, some of the code is pretty old (still has application.cfm file instead of cfc, I just haven’t had the time to update it).
Anyway, I did some research, and saw several posts about it, suggesting I do the following:
1. Set the maximum timeouts to the same values as the default timeouts in the CF Admin.
2. Set the session-timeout in the web.xml file to a little more than the settings in CF Admin
3. Set the setClientCookies var in the application cfc/cfm to false.
I did #1 and #3; On # 2, where do I find that file, and is it actually called web.xml? Also, when I make that change, I am guessing I need to restart the server?
Thanks!
Kristin
The easiest solution is to disable J2EE session variables and use CF's
session management, is there a reason you want to use J2EE sessions?
The two main reasons you might want to use them would be if you need
to share access of the session with Java / JSP, etc, code, the second
reason is that you want the session cookie to be terminated when the
browser is closed (this is a cookie with no expires and lives only as
long as the browser window is open). If you reason is the second one
you can get around that by adding some code to your
Application.cfc/cfm to write the CFID/CFTOKEN cookies manually. This
blog entry shows how you can do that:
http://www.petefreitag.com/item/764.cfm
Also I should mention that CF 9.0.1 CHF 2 reportedly fixes this
problem, which I think was introduced in one of the recent security
hotfixes, there is no hotfix for CF8 however.
And finally to answer your question about the web.xml file, it will be
located in a folder called WEB-INF and on a standard install is in the
{coldfusion-root}/wwwroot/WEB-INF/ folder
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting & Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?
> --
> You received this message because you are subscribed to the Google Groups
> "Central New York ColdFusion Users Group" group.
> To post to this group, send email to cfu...@googlegroups.com.
> To unsubscribe from this group, send email to
> cfugcny+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/cfugcny?hl=en.
>
I think I switched to J2EE sessions a while back, based on security scans
saying my session ids weren't random enough, and something I read
somewhere said J2EE was better (can't remember what I read, but since I
switched, we've stopped getting dinged on that).
That being said, we are about to implement PayPal on the site via a Java
SDK (I had posted earlier about that), and although I'm not actually
coding the implementation, I suspect that I may need to share access of
the session with the Java code...
And sigh, I wish I could get them upgraded to CF9, but it hasn't been that
long since we upgraded to 8, so I suspect that won't happen for a while.
Thanks for the blog link, I will read that, this is always a bit nebulous
to me. And for the location of the file!
Thanks,
Kristin
However, If you have that setting enabled the CFTOKEN is sufficiently
random, I can't say if the jsessionid is more or less random, they may
use a secure random number generator to create that value, where as
CFTOKEN may or may not - but because the CFID/CFTOKEN pair is also
required it may be harder to guess than the jsessionid. Some security
scans mistakenly only look at the value of CFID (which is always an
integer) and flag issue based on that, you typically just need to
contact the company and let them know that CFID/CFTOKEN pair is the
actual session token (I think most scanners have resolved this issue
but it used to be more prevalent a few years ago).
I don't think the PayPal Java SDK will require use of your session, so
you *should* be fine to disable j2ee sessions, just be sure to test it
out.
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting & Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?
Thanks for the info!
Kristin
Kristin Gitler
Web Developer
office + 585.899.4879
ITX
6780 Northern Blvd., Ste 201
E. Syracuse, NY 13057
www.itx.com