@jvc, it’s certainly interesting that the request to the new pod “does not record a new session in the DB”, while “the onSessionStart is triggered” but “the session is empty”.
I have some different thoughts than have been shared so far here by the few others involved, and different diagnostics which may help anyone facing such session challenges. Perhaps any of you already knew some or all of these things, but I don’t see them discussed here.
(Brian, I’d not think it had to do with the ip address to which a request is made, but it can DEFINITELY have to do with the domain to which a request is made. And same if somehow different ips are being used for the pods/instances being requested.)
Consider that setdomain cookies
Indeed, first, as for jvc’s last code which shows setdomaincookies=false (and others concurred they use that), I’ll just note for the sake of completeness that for setdomaincookies the lucee docs say “Applications that are running on clusters must set this value to Yes.”. I’m not saying it will fix things, but have you at least tried that, jvc?
The browser will send cookies to a server only if the cookies it has have a matching domain value to the request being made. (A subdomain would not be the same. I’ll leave it at this for now, though there’s more to be said.)
Consider this.sessioncookie vs manual cookie tweaking
Second, while you show and others here have discussed setting the cookies manually (via those header statements, in our case), do beware that whether it sets a domain on that cookie will depend on other factors…and that may play into what the next request (perhaps to the new pod) may or may not get. And I’ll be focusing on that in a moment. The same goes for other of the cookie attributes you are setting in that code.
I understand why some have historically tweaked those cookies and rewritten them that way (like to change the cookie timeout to have it “expiring on browser close”), but do beware that the NEED for manual cookie tweaking has been replaced with the addition of the this.sessioncookie struct in application.cfc (or the corresponding attribute in cfapplication). This was added in CF10 (2012) and later in Lucee. It’s mentioned briefly in the Lucee docs here.
Again, I understand folks may not want to touch existing code to implement that change, but again I offer it especially for those here who are having session trouble, at least as something to try.
Diagnosing session problems
Finally, I’ve found in diagnosing any session oddities (whether stored in a db or not, whether clustered or not, whether using containers or not, and whether using Lucee or not) that the first key was to see what cookies the CFML request was receiving. Often, you will find that what it’s receiving is NOT what it SHOULD be, for the behavior you want.
So first, lets have you check/log that incoming cookie info on each request (whether you do that on some cfm/cfc page you call or in the application.cfc/cfm that controls it). If you’re using jee sessions, it would be the jsessionid that matters most. As **you show using what lucee calls “cfml” sessions, then I am pretty sure that’s like CF’s default, in which case it’s cfid and cftoken cookies that matter most.
(BTW, have you tried both ways, jvc?)
Be careful how you look for the cookies
When it comes to checking on the cookies coming in, do NOT look at/dump/log the CFML “cookie” scope. That could hold cookie values SET in the request itself before that point (including due to things like such onsessionstart code as you both show, or the engine itself).
Instead, look at the cgi.http_cookie variable, which holds any and all cookies received by the CFML engine from the request. (Granted, that might be manipulated by a web server or other appliance between the user and the CFML engine, but let’s presume for now that is NOT the issue.)
Sepending on that this.sessiontype that Lucee offers, look for the jsessionid value, or the cfid/cftoken pair–within that semi-colon separated list of cookies in that var. You can process/search/extract from it with CFML list functions, of course.
And do look for whether there may be more than one session cookie. I’ve seen that happen with cookies, usually unexpectedly, whether more than one jsessionid or more than one cfid/cftoken pair.)
Does it differ on the instances/pods?
So the key question is: when the request goes to the instance/pod where things “work” (and you say a session is “logged”), what is the session cookie value going into the request there, as compared to going into the pod where you say the 3 things I quoted above?
And if the session cookie value DOES differ, that’s its own question, with things to consider. (You’d want to then look at the cookies as RECEIVED/stored on the browser, to see things like their domain and secure values, as well as the path and httponly values you guys show manipulating. That’s another whole kettle of fish. But let me leave it at this for now.)
Hope that’s of some help, so someone seeing this thread.