The issues seem to have something to do with the combination of database
storage of session data and the sessionrotate() function. With the load
balancer out of the equation, we experienced sessions rotating themselves
before they were due to expire. When we change the session storage to
memory, the problem goes away.
A sample of records in the cf_session_data table shows that after rotating
the cookie, the sessionid is updated but the cfid remains unchanged:
expires cfid name data
1450404504648 a5fabe28… myapp
{‘timecreated’:createDateTime(2015,12,18,11,57,48,346,“Australia/Sydney”),‘sessionid’:‘myapp_1dfcc378…’,‘lastvisit’:createDateTime(2015,12,18,12,8,24,611,“Australia/Sydney”)}
1450405537147 1dfcc378… myapp
{‘timecreated’:createDateTime(2015,12,18,12,25,37,154,“Australia/Sydney”),‘sessionid’:‘myapp_85725018…’,‘lastvisit’:createDateTime(2015,12,18,12,25,37,126,“Australia/Sydney”)}
After a short while, much less than the session expiry, a new session
appears in the database with the cfid of the cookie that was generated when
the session was rotated. The sessionid is updated after I sessionrotate()
and set the session variables in the login procedure:
1450405909758 85725018… myapp
{‘timecreated’:createDateTime(2015,12,18,12,31,49,757,“Australia/Sydney”),‘sessionid’:‘maypp_85725018…’,‘lastvisit’:createDateTime(2015,12,18,12,31,49,757,“Australia/Sydney”)}
Relevant records in the Application.cfc:
Are we doing something wrong or is there a problem storing session data in
a datasource?
Thanks,
Simon