Having issues with session timeout logging me out before the default 20 minutes

[cfcoder]

Working in an app I didn't write and it has an auto logout feature in JS script that warns of pending logout after 20 minutes, with a 5 minute countdown timer. But I commented that out for development so it would be causing the issue I'm about to describe.

The app sends me to the login page after what seems to be 5-10 min. It might be 20 (time flies when you're having fun coding) but I wanted to make it longer. So I added
this.sessionTimeout = CreateTimeSpan(0, 0, 59, 0);
to the /config/app.cfm file but it has no bearing on this. In the CF Administrator, session default is still set to 20 minutes, but my addition above should be overriding it but appears not. My session is dropping after about 10 minutes. Why is this happening?

[MvdO79]

I believe you can't set the session variable timeout larger then set in the administrator settings. So it probably does exactly that, logging you out after 20 minutes.

[cfcoder]

I've made a further discovery about my problem. I have two Commandbox CF servers running simultaneously, each on different ports, each are CFWheels apps. I'll reference them as App1 and App2. When I log into App1, I can reload that page or navigate around in that app just fine. As soon as I log into App2, the next page I try to load or if I simply reload the page still up in App1, it jumps to login page (logged me out). If I immediately reload the page up in App2, it too jumps to the login page.

This should NOT be happening since they are on separate ports of 127.0.0.1. They should know nothing about each other's sessions. The two apps are different versions of the same code base, one is trunk and the other is a branch off of trunk and newer code with enhancements made.

How is the session of App1 influencing the session of App2. It's like they are sharing the same session space, which would be a huge security issue if true.

[neokoenig]

I think (and bear with me, I tend to use JWTs these days so haven't mucked around too much with sessions for a while) - but what you're describing is actually expected behaviour.

Have a look at the cookies being set. By your description, you're running the same app (presumably with the same application name) on the same domain, i.e localhost, but on two different ports.

However, cookies don't know about ports, they just look at the domain set - and can often using wildcards (i.e *.google.com). So what I think is happening is that you log into App1, CF sets a cookie with application name for App 1 (which is the same as App 2) , and then you login to App 2, your cookie for App 2 is being sent to App1 (same domain remember) and then not recognising the session (as indeed, they are seperate) and logging you out.

[cfcoder]

This app doesn't use cookies, so none are set by either app. At least as far as I can tell from the list of cookies associated with 127.0.0.1. Those that are listed are set by the browser and do not change when logged in to either app.

I also checked the app name being used in the /config/app.cfm files of either and they each differ in name. The only think shared between the two apps is the data source settings. But i wouldn't think that has any impact on this behavior.

So I'm still at a loss why this behavior is happening.

[neokoenig]

I suspect a cookie must being set somewhere (or at least some token must be being sent which the browser stores).... but either way: A shared datasource can absolutely make a difference IF you've told the CF/lucee to use database based sessions (vs being in memory).... it'll be reading off the same table, so will get confused as hell probably.

[cfcoder]

I checked and CF Adobe 2018 settings and my sessions are based on cookies as a client based text file. But at least in Brave, no cookies are written at login time. Maybe they are hidden from view or something, which is not usually the case.
Looks like cookies are being written using jQuery.cookie at login time. Now sure why the browser doesn't show them under the settings drill-down to cookies view.

[cfcoder]

While I haven't found the smoking gun, I think this is the cause given that using a different browser prevents the logout. I even tried opening a completely different app at 127.0.0.1 (in the same browser as app1) and it too forced the logout of all sessions in app1 and the new app3. So I think your intuition is correct. Just wish I knew how to prevent this in my development space. But I'll go with the work-around Peter suggests, to use two different browsers.

[neokoenig]

Ideally set a subdomain; so in commandbox set server.json to use app1.localhost etc.

Look at Chrome devtools and look at application > cookies.
check that cfid / cftoken don't use .localhost and instead use app1.localhost (as an example). That way cookies will only be sent to the subdomains which match that.

[cfcoder]

Cookies are shown there (I was previously looking under the browser Settings which I've learned no longer shows cookie values like they used to (in Chromium based browsers, such as Brave and Chrome). The DevTools does as you suggest.
You suggestion works. I set the host in the server.json file as you suggested and now it writes CFTOKEN and CFID cookies to dev.localhost, provided I use that as my url. If I revert back to using my 127.0.0.1 it conflicts with the other app.

So that is the solution after all. I'll plan to use subdomains.

[bpamiri]

A quick test might be to open the two apps in different browsers. i.e. FireFox for one and Chrome for the other. As @neokoenig mentioned this sounds like the way sessions are controlled at the CFML engine level. Commandbox will use the app name in the server.json file. So looking at box server list will show if two distinct servers are being created.

Using the two different browser will make sure the two are not conflicting from the browser level, looking at the commandbox server list, will point out if the two are conflicting on the server level.

[cfcoder]

Thanks for the suggestion, Peter. That works in that it won't conflict and log me out of either app. I usually use Brave (Chromium engine) but for the 2nd browser I tried Firefox.

BTW I did check the server.json files for both apps and the names I had made different as I was having issues with the Start and Stop commands in Commandbox being confused. So their names differed already. I've checked the CFConfig.json files (Commandbox Config lets you save the CF Administrator settings there) and they differ in the relevant identifications of each.

[bpamiri]

Sometimes, if you have a "session cookie" don't know the term for it, but basically a cookie that doesn't have an expiration date. Then it isn't written and only kept in the browser's memory. That may be another thing confounding your issue. Glad to hear that using two different browsers helped at least.