Lucee Session expires after 10 Minutes using Docker and Nginx

I use the Lucee 5.4-nginx in Docker. In Lucee admin the session timeout is set to 30 minutes and in Application.cfc to 2 hours. However, the session times out after 10 minutes. On the Lucee server, without Docker and with Apache2 and Tomcat works everything, but I want to switch to Docker.

Dockerfile:

FROM lucee/lucee:5.4-nginx

#Nginx Configs
COPY config/nginx/ /etc/nginx/
#Lucee Configs
COPY config/lucee/ /opt/lucee/web/
#Password
COPY config/lucee-admin/password.txt /opt/lucee/server/lucee-server/context/password.txt
#Copy WWW to Container
COPY www /var/www

docker-compose.yml

version: '3'
services:
  web:
    build: .
    ports:
      - "80:80"
    volumes:
      - ./www:/var/www
    environment:
      #TimeZone / Locale
      TZ: Europe/Berlin

Nginx Config:

worker_processes 1;

events {
    worker_connections 1024;
}

http {
    server {
        listen 80;
        server_name localhost;

        location / {
            proxy_pass http://127.0.0.1:8888;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

The first thing I thought was that the time zone was set wrong. Well, it was, but that didn’t solve the problem. Then I tried to find out on different websites if Nginix kills the session, but couldn’t find anything specific.

If you need more information, let me know. I don’t know what else I can do.

Can you share your Application.cfc settings relating to sessions?

Also, what do the set cookie headers look like when you first hit the app (i.e in incognito with devtools open)

I have a couple more diagnostics.

First, you should make sure the lucee instance isn’t somehow restarting, as that would certainly appear as sessions seemingly “expiring”. See the logs (docker compose logs). BTW, though it may be tempting, don’t judge based on whether the container has restarted (the uptime as reported in docker compose ps), as lucee could restart WITHIN the container without necessarily restarting the container itself (I’m saying it’s possible, not likely).

Second, adding to Zac’s suggestion (and assuming the timeout is in your app vs only the lucee admin itself), add also a dump of both the session and cookie scopes, and the cgi.http_cookie var (which lists any and all cookies passed in on the request). And track these before and after this “session expiration”. These will show if the cookies used are changing…both as coming in and as may be set by lucee.

Like you I’d have first wondered if nginx was the culprit here, since it’s seemingly a key variant between your working and not-working setups. But I, too, found no obvious settings for it of this sort.

That’s why we now just need to gather more evidence. “The answer is out there.”

Thanks for your reply.

It should be noted that we store the session in a database table.

Application.cfc Scope handling:

<cfset this.sessionType = "application">
<cfset this.sessionStorage = "zelc_session">
<cfset this.Sessionmanagement=true/>
<cfset this.sessionTimeout="#createtimespan(0,2,0,0)#"/>
<cfset this.applicationtimeout="#createtimespan(0,2,0,0)#"/>
<cfset this.setClientCookies=true/>

<cfset this.clientManagement = false>
<cfset this.clientTimeout = createTimeSpan(0, 4, 0, 0)>
<cfset this.clientStorage = "cookie">

<cfset this.setDomainCookies = false>
<cfset this.setClientCookies = true>

<cfset this.localMode = "classic">

<cfset this.bufferOutput = true>
<cfset this.compression = false>
<cfset this.suppressRemoteComponentContent = false>

<cfset this.typeChecking = true> 

Session:

<cfset this.datasources["zelc_session"] = {
        class: 'com.mysql.cj.jdbc.Driver',
        connectionString: 'jdbc:mysql://#this.ip["db1"]#:6033/zelc_session?useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true',
        username: 'xxx',
        password: "xxx",
        connectionLimit: 100,
        storage: true
    }>

Cookie & Database entry:

image1702×155 13 KB

What I found out since this morning. I had deleted the container in order to regenerate it. Then I created the container about 20 minutes later, and after I started the container, my session was still there. It did not expire after 10 minutes as it usually does. Despite the fact that the server was stopped (container deleted).

Thank you.

The composer logs seem normal.

The last entry is only the server startup. I only created the first session after the last log.

10-Aug-2023 15:34:32.628 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [2273] milliseconds

The dumps of the session look like this.
As soon as I call up the application in incognito, the structure is empty. After I log in, the variables I need are set normally. After 10 minutes, the structure is empty again, the entry is deleted from the database and a new one is created.

As soon as the session expires and I execute something in the application, e.g. press a button, follow a link to a subpage, the cookie scope and the variable look like this:
I can only upload one image. That’s why I’ve put the two screenshots together:

have you named the application?

Yes, I’ve named my application.

<cfset this.name = "zeManage" />

Because we want to run only one Docker container locally (test system), developing several ColdFusion applications, I have an ApplicationProxy.cfc with all server settings, so that the server settings do not have to be inserted in each application. (In the live system, of course, each application has a Docker container. The system is exactly the same as in the test, except that there is only one application per container). Each application has its own Application.cfc, which extends ApplicationProxy.cfc. Anyway, the session still ends after 10 minutes when I merge the two files.

<cfcomponent displayname="Application" output="true" hint="Handle the application." extends="ApplicationProxy">
    ...

It should be noted that we exported the settings from our currently running test server. (Lucee server without Docker, with Apache2 and Tomcat on a local server). These settings are in ApplicationProxy.cfc

@Rene for the sake of troubleshooting and making sure we’re on the same page, can you please pare the code involved back to the minimum amount of code that demonstrates the issue.

Start with a Dockerfile, docker-compose.yml file, an Application.cfc and test.cfm. Share the code with us. All of it (github repo or something? Of a gist with all the files would do). Include the docker compose commands you run to bring up the container.

In Application.cfc have event handlers for application, session and request events, which write something to a log file so we can see when/if they’re firing. And just minimal application & session management config. Start with sessions in memory unless it’s only reproduceable with sessions in a DB (makes the code more portable).

Odds-on a minimal config won’t have the issue; start adding more environmental / config stuff until you can reproduce…

Thanks for your response. I was able to isolate the problem to the point that I found out that every 10 minutes the OnSessionStart() function is executed in my Application.cfc.

The session is not being killed, just the function is being executed.

The OnSessionEnd() function is never executed for whatever reason. No idea what the function is for.

In the OnSessionStart() function, I just reset my login variables “session.isLogin = false”, and I check in my main document if the session.isLogin variable is false, that the session scope is cleared. On Monday, I can provide a small application (GitHub) which demonstrates the problem. I have no idea why this function is called every 10 minutes.

If you are keen, there are existing test cases for these type of problems

Adapting one of them would be the best demonstration of the issue as a PR

Here is a good example, I recommend checking out lucee 6 and trying to adapt the test case to repo

with 6 you can easily just run one test using ant -DtestFilter="3264"

The error in this case is the database session storage. I noticed the same behavior and posted this already: Session storage memory vs. dsn

If you switch to memory storage, it will work fine (I use docker with nginx too).

Thanks, but we can’t switch to using memory storage. We have several servers with the same application and a proxy that distributes the users among the machines according to the load of the server. So that the session does not expire we use the Database Storage. Now we are planning to switch to Docker.

Which Lucee version works with Database Storage?
Your proxy could use a sticky session and forward the user always to the same instance.

ahh, that one slipped thru the cracks, file a bug plz

Okay, I’ll report a bug

@Michael_Diederich The problem is, if a server crashes the user has to log in again. (Online Wholesale Shop)

If the session is in the database, it is still on the other server.

[LDEV-4670] - Lucee bug created

Thx

@Michael_Diederich that was a wonderful catch! nice move!