Session troubles between sites on Win2022/IIS

I have two sites running on a Win 2022/IIS server. Both have separate app pools/directories/web contexts . The code and folder structure is exactly the same with the exception of the root Application.cfc file. This file has one difference which is the application name. site one has and site two has . When I access site one “acportal” everything works great when logging in. All sessions that get set during authentication get maintained. If I try to access the second site “acportalDEV” the site sessions are not stored below the root folder.

If I restart Lucee on the server whatever site gets access first “acportal” or acportalDEV" works with sessions and the second one does not work. It will flip flop after a lucee restart.

I’ve been migrating from ACF to Lucee for about 6 months and so far just some code updates and we’ve been good! Feel like I am missing something simple here. Thanks in advance for any direction!

Here is the application.cfc code:

<cfcomponent>
<!--- set up the app info --->
<cfset this.name = "acportal">
<cfset this.applicationTimeout = createtimespan(0, 8, 0, 0)>
<cfset this.sessionManagement = "YES">
<cfset this.sessionTimeout = createtimespan(0, 1, 0, 0)>
<cfset this.setClientCookies = "YES">
<cfset this.scriptProtect = "All">
<cfset this.mappings["/rooty"] = getDirectoryFromPath(getCurrentTemplatePath()) />

<!--- Set page request settings. --->
<cfsetting requesttimeout="60" 
    showdebugoutput="true"
    enablecfoutputonly="false" />

<!--- Session Scope - Fires when the application is first created --->
<cffunction name="OnApplicationStart" access="public" returntype="boolean" output="false">

  <!--- dsn info --->
  <cfset application.acglobaldsn = "acglobal">
  <cfset application.acdwdsn = "acdw">
  <cfset application.accos = "accos">
		 
   <!--- user content upload directory --->
  <cfset thisPath = expandPath("/") >
  <cfset ProfilePhotosFolder = "assets\global\profile_photos\">
  <cfset TempPhotosFolder = "assets\global\temp_photos\">
  <cfset application.ProfileUploadDir = "#thisPath##ProfilePhotosFolder#">
  <cfset application.TempUploadDir = "#thisPath##TempPhotosFolder#">
  <cfreturn true />
</cffunction>

<!--- Session Scope - Fires when the session is first created --->
<cffunction name="onSessionStart" returntype="void" output="no">
  <cfif not isdefined("cookie.CFID") and isdefined("session.CFID") and isdefined("session.CFToken")>
    <cflock scope="session" type="readonly" timeout="5">
      <!--- store the ID/Token so that we don't lose them. --->
      <cfcookie name="CFID" value="#session.CFID#" secure="Yes" httpOnly="true">
      <cfcookie name="CFToken" value="#session.CFToken#" secure="Yes" httpOnly="true">
    </cflock>
  </cfif>
</cffunction>

<!--- On Request Scope - Fires at first part of page processing --->
<cffunction name="onRequestStart" access="public" output="false">
  <cfargument name="template" type="string" required="yes">

<!--- Log out code --->
<cfif structkeyexists(#url#, "logout")>
  <cfset structClear(session) />
</cfif>

<!--- On Error Scope - Fires when an exception occures that is not caught by a try/catch --->  
    <cffunction name="OnError" access="public" returntype="void" output="true">
    	<cfargument name="Exception" type="any" required="true" />
        <cfargument name="EventName" type="string" required="false" default=""/>
    <!--- Log all errors in the DB. ---> 
          <cfquery name="inserterror" datasource="#application.acglobaldsn#">
          INSERT INTO tbl_log_error (page, type, message, detail)
          VALUES( <cfqueryparam value="#listlast(cgi.script_name,"/")#" cfsqltype='CF_SQL_VARCHAR'>,
                   <cfqueryparam value="#Arguments.Exception.type#" cfsqltype='CF_SQL_VARCHAR'>,
                   <cfqueryparam value="#Arguments.Exception.message#" cfsqltype='CF_SQL_CLOB'>,
                   <cfif ISDEFINED("Arguments.Exception.detail")><cfqueryparam value="#Arguments.Exception.detail#" cfsqltype='CF_SQL_CLOB'><cfelse>'none'</cfif>)
         </cfquery>
        <!--- display non error code --->
        <cfdump var="#exception#">
    </cffunction>
</cfcomponent>

Don’t forget to tell us about your stack!

OS: Windows Server 2022 (Running IIS)
Java Version: 11.0.20.1 (Eclipse Adoptium) 64bit
Tomcat Version: 9.0.80
Lucee Version: 6.0.0.585

Hi!!! What do you mean with that exactly?

Have you tried accessing the sites with different browsers (in incognito mode)?

Antother question… What are you doing that for? Since you have setClientCookies to true, isn’t that conflicting? setClientCookies will always try to set cookies and you are overwriting those.

Ah, I should have been more clear. Folder structure looks like this:

±-- Root
| ±-- Application.cfc (included sample cfc)
| ±-- login.cfm (authentication page)
| ±-- Securefolder
| | ±-- Application.cfc (uses SUPER.OnRequestStart to check the user is logged in)
| | ±-- appstart.cfm (page user starts on once logged in)

A user attempts to log in and once authenticated is sent to the appstart.cfm page with sessions set. This works great in site1 but in site2 the user gets immediately sent back to the login page because the session.login is not defined.

and for your second part… agreed, that setClientCookies should be off since we are handling the cookies manually. I am guessing some older inherited code I’d say. I only code part time and have a tendency to reuse code once it works and not update my skill set as much since its a side hustle for me (usually when I have an idea and can’t sleep). I’m going to clean up the application.cfc (switch back to letting Lucee handle the sessions since I think that cfcookie stuff was written for ACF10). So odd it works in one site but not the other though! I will post again after some rewrite and testing. Thanks for the second set of eyes. I appreciate it.

I’ve cleaned up the Application.cfc file by removing:

<!--- Session Scope - Fires when the session is first created --->
<cffunction name="onSessionStart" returntype="void" output="no">
  <cfif not isdefined("cookie.CFID") and isdefined("session.CFID") and isdefined("session.CFToken")>
    <cflock scope="session" type="readonly" timeout="5">
      <!--- store the ID/Token so that we don't lose them. --->
      <cfcookie name="CFID" value="#session.CFID#" secure="Yes" httpOnly="true">
      <cfcookie name="CFToken" value="#session.CFToken#" secure="Yes" httpOnly="true">
    </cflock>
  </cfif>
</cffunction>

allowing lucee to handle the sessions. Restarted the server and still have the same issue. After restarting the server whatever site gets accessed first after the reboot wins and is the running site. I am starting to think this maybe an issue with the cfid/cftoken cookies. I noticed that the two cookies are ignoring the subdomains. test.analystandco.com and www.analystandco.com The cookies are being set at the root .analystandco.com. only.

Screenshot 2023-12-08 at 2.48.19 PM1232×186 15.8 KB

I did try adding and checked the setting the admin but it didn’t seem to make any difference in the cookie. I have also run one site in incognito mode (and tried multiple browsers).

I also cloned the VM and put one site on each VM and they both work fine that way. Just can run them on the same server.

Do you have some type of https working on one site and another not?

They both have their own certs after their sub domains.

Finally fixed it. Things tried:

1. Added new site to server different domain name ran a copy of the application in new site. Still the same issue. This tested cookies issues with sub domains
2. Removed all certs and resorted back to port 80. Tested SSL issues.
3. Tested same server config (Windows, IIS, etc…) with ACF no issues.
4. Tested same server config (Windows, IIS, etc…) with Lucee 5.4.4.38 no issues.

After test #4 I went back to my lucee 6.0.0.585 and downgraded back to 5.4.4.38 and everything began to work again as expected. The fix was downgrading from 6.0.0.585. When I have a bit more time I will see if I can repeat and pinpoint the potential issue with running 6.0.0.585 and file a bug (if there is a definitive one).