Details:
- Issue: onSessionStart is being called with every API call
- Session ID is renewed each time
- Lucee version: 6.0.3.1
- Application type: RESTful
- Client-side: Angular application
- Web server: IIS with bonCodeAJP13
- Server connection: Secure HTTPS
Assuming you have this.sessionManagement set to true instead of false in your app (which is server default)?
Check this out
Dynamically Enabling / Disabling Session Management In Lucee CFML 5.3.8.201 (bennadel.com)
Below the configuration in my Application.cfc
this.applicationTimeout = createTimeSpan(0, 12, 0, 0); // 12 hour session
this.sessionManagement = true;
this.sessioncookie={httponly=true, timeout=createTimeSpan(0, 0, 0, 10), secure=true,domain=βlotusttd.comβ,sameSite =βNoneβ};
this.setclientcookies = true;
this.sessionTimeout = createTimeSpan(0, 0, 30, 0); // 20 minutes session timeout
is the client that is accessing the API capable of holding/managing cookies and sending them correctly? Just asking because I remember once somebody CURLing such an API and wondering why the sessions are renewed on every call.
1 Like
allows Angular to send and receive cookies when communicating with Lucee backend. The withCredentials: true option in the interceptor ensures that cookies are included in cross-origin requests.
Iβm assuming your subsequent API calls are within 10 seconds (your session cookie expires in 10 seconds)? Is the client being served from a different domain or subdomain than server domain name specified? And, are you seeing the CFID / session cookies in the response received by Angular?