Possible bug (with PCI implications):
this.sessionType = "cfml";
this.sessionCluster = true;
this.sessionStorage = "datasource_name"; // Using MySQL datasource to store sessions
sessionRotate() creates a new session (I can see a record in the datasource) but the current browsing session remains on the old session.
sessionInvalidate() doesn't have any effect on the session.
If I set:
this.sessionCluster = false;
Then the functions work as expected. However, the release notes for this.sessionCluster say:
this.sessionCluster=true:if set to true, railo uses the storage backend for the session scope as master and Railo checks for changes in the storage backend with every request, set to false (default), the storage is only used as slave, railo only initially gets the data from the storage. Ignored for storage type “memory”.Then both functions work as anticipated.
No problem in development but potentially a problem in production where I can't guarantee that sessions will be sticky.
There are a number of threads about issues with non-sticky sessions (though not necessarily about these functions) but no definite resolution. How sticky do my sessions need to be in order for this to not be an issue (e.g. 60 load balancer timeout)?