[Looking for Charlie's main web site?]

Tracking number of CF sessions per application easily, and why you should care

Posted At : January 22, 2009 4:30 PM | Posted By : Charlie Arehart
Related Categories: cf911, tuning, monitoring, troubleshooting, CF Server Monitor

Ever wanted to count how many sessions are active on your server, in total and per application, whether on CF 7 or 8? And regardless of whether you're using CF's regular sessions or the "new" J2EE sessions feature introduced in CF 6? Would you be surprised to find you could have a shocking number of active sessions?

Here's a nice simple solution, the free ServerStats tool, that provides that info. It's from Mark Lynch and while a couple years old still works just fine. Besides printing out the total count of sessions and the count per application, it also some information about CF memory use, number of processors, and more.

Of course, some will want to point out that the CF 8 Server Monitor offers session and memory info, but for those not on CF8 Enterprise, this is a useful alternative. Also, some may want to point out that the solution described here uses internal objects that may be disabled (and are also undocumented and unsupported). I discuss both these points below. There are also some other approaches people take, which I also mention briefly.

Why care about number of sessions?

So why care so much about how many sessions are active on a CF server? If there are 10 or 20, or maybe a 100, does it really make a difference? No, not likely. But what if you find that there are 90,000? I'm not kidding. I was helping someone just last week when we discovered this. It's not as unusual as you may think.

Often when I'm helping people solve problems with their CF servers, one of the first things I want to help them discover is just how many sessions they have active at any time. With the potential impact of spiders and bots creating huge numbers of sessions, which could have an impact on memory and also on other aspects of performance, it's definitely one of the first things to look into.

So how's Mark's code tracking them?

Mark's entry is a summary of things he'd discussed in a few blog entries about how to leverage internal CF/Java objects to provide the info, and that one entry offers a downloadable zip with a single CFM file and a directory of CFCs and custom tags. You can just extract the zip into a web-accessible directory and run it. No need to create custom tag mappings, etc.

Many folks have known about and blogged about these internal CF/Java objects, coldfusion.runtime.SessionTracker and coldfusion.runtime.ApplicationScopeTracker, over the years. They're undocumented and unsupported, so you use them at your own risk, but again I've confirmed that Mark's code works against CF 7 and 8 (and I'll assume 6 as well.) You can google to learn more from him and others on these.

CF8 Enterprise has other solutions

Of course, those on CF 8 Enterprise (or Developer) have still other approaches to this, whether in the CF8 Server Monitor (see its active sessions page) or the Admin API's servermonitoring.cfc. But if you're not CF8 Enterprise (and even if you are) this solution can help.

(For any who may wonder, no, neither FusionReactor nor SeeFusion offer this info, since it's technically internal to CF. They could call upon these methods, but since they're undocumented, I can understand that they choose not to. And while they could call upon underlying J2EE objects for J2EE sessions, those would not work for those who don't use J2EE sessions.)

JRun Metrics and other solutions

And yes, there's still another way to get at least a count of all J2EE sessions, using the available JRun Metrics. While it has the benefit of tracking the info over time, it does track the session count only if you've enabled J2EE Sessions in the CF Admin, and even then it tracks only the total of all sessions, not a count per app.

Of course, there have been various solutions offered to solve the problem of session tracking, such as those that track sessions in code (within your application) by storing them in an array in the application or server scope, and so on. The nice thing about using the internal CF/Java objects is that the apps being tracked don't need to be altered at all.

Potential Security Gotcha

Of course, therein lies a potential security risk. Anyone running such code on any CF server can have access to the sort of info that these internal CF/Java objects offer. The example above (Mark Lynch's) doesn't really expose much to worry about (unless the names of apps on a server is sensitive, where one user on the server shouldn't know that another app exists on it, which may be true in a shared hosting environment.) But more important, if one digs deeper into these objects, they do expose more details, including the values of variables in session scopes across all applications. That could be considered very sensitive.

As such, there have long been a couple of solutions that Adobe has provided to enable an administrator to shut down the use of these internal objects.

First, in CF 5 and above, it's been possible to set security for the entire server (or a given app in CF Enterprise) to make it impossible to call any Java objects (yes, you could call Java objects starting in CF 4.51). To learn more about this option, called Resource Security in CF Standard, and Sandbox Security in CF Enterprise, see my 2-part article series for the Adobe Security Developer Center from Sept 2002, "ColdFusion Security, Part One: Understanding Sandbox/Resource Security" and "Part Two: Sandbox/Resource Basics", both available at my articles site.

That approach is a little brute-force though, and throws the baby out with the bathwater if you have legitimate use of java objects.

So in CF8 finally, Adobe added a new feature that permits an Administrator to disable JUST access to the these underlying internal CF/java objects. See the CF Admin "Server Settings" section, "Settings" page, and its "Disable access to internal ColdFusion Java components" checkbox. The option takes effect immediately.

It's certainly more effective if one wants to control to this info, but of course it will make code that relies on it fail, with an error like:

Permission denied for creating Java object: coldfusion.runtime.SessionTracker

I'll point out that since most of the folks I help with run their own servers, they're just not worried about disabling these internal java objects, since they can control what code runs on the servers.

So if you want to quickly find out how many sessions you're running, per application, check out Mark's code. You can also get much more info from these internal objects, if you want to explore. I'm working on a tool to provide some still more powerful information that I started working on years ago based on these objects. But until that's ready, I had occasion today to point out this working alternative to a customer, and thought I'd pass it along here.

Comments (0)

Related Blog Entries

Some code to throttle rapid requests to your CF server from one IP address (May 21, 2010)

Comments

There are no comments for this entry.

[Add Comment]

RSS

Recent Comments

Sending HTTP headers in a
CFHTTP request? Name them
correctly

Web Services said: Nice writing. I think your website should come up much higher in the search results than where it is ... [more]

Sending HTTP headers in a
CFHTTP request? Name them
correctly

Kevin Marshall said: Great post, thanks for this information....

Is Dreamweaver crashing when
you try to use Help? Here's a
solution

Liz said: I finally got tired of having Dreamweaver crash when I had the audacity to ask it a question instead ... [more]

CF911: Have you updated your
#ColdFusion JVM to _24 yet?
Important security fix for CF
8/9

Charlie Arehart said: Just a note for any who may do this JVM update. While it is supported and even recommended by Adobe, ... [more]

CF911: Lies, Damned Lies, and
CF Request Timeouts...What
You May Not Realize

Charlie Arehart said: Thanks for that, Kit. Great stuff. No, no one had shared it before. Could see how that could be a us ... [more]

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29

About

A veteran ColdFusion developer and troubleshooter since 1997, Charlie Arehart is a longtime contributor to the community and recognized Adobe Community Professional. He's written nearly 100 articles for the CFDJ, FusionAuthority Quarterly Update, Adobe DevCenter, CommunityMX and more, as well as hundreds of blog entries. A contributor to all 3 volumes of the CF8 and CF 9 Web Application Construction Kit books by Ben Forta et al, he was also co-author of the ColdFusion Anthology, CFMX Bible, and others. Charlie's a certified Advanced CF Developer and Instructor for each release since CF 4, and he's presented nearly 100 talks to hundreds of developer conferences and user groups worldwide. He's now an independent consultant and trainer living in Alpharetta, GA, and he runs the Online ColdFusion Meetup as well as the UGTV library of recorded CF presentations from speakers around the world, as well as the CF411.com repository listing hundreds of tools and resources for CFers.

You can reach Charlie by email at charlie (at) carehart.org, or you can follow him on twitter, @carehart. This blog is one resource among several within http://carehart.org/, where you can also find out more about him.

In fact, if you'd like his help, he's available for consulting for as little as 15 minutes.

Appreciate any of the resources he's offered? Here's his Amazon Wishlist. :-)

Archives By Subject

ace program (3) [RSS]
admin (25) [RSS]
AIR (1) [RSS]
ajax (7) [RSS]
aptana (1) [RSS]
basics (5) [RSS]
blogcfc (6) [RSS]
blogging (5) [RSS]
bluedragon (3) [RSS]
breeze (4) [RSS]
captchas (3) [RSS]
carehart classics (2) [RSS]
CF Server Monitor (16) [RSS]
cf411 (1) [RSS]
cf8 (38) [RSS]
cf9 (9) [RSS]
cf911 (30) [RSS]
CFBuilder (13) [RSS]
cfdj articles (3) [RSS]
cfeclipse (11) [RSS]
cfform (2) [RSS]
CFFundamentals (3) [RSS]
cfml (31) [RSS]
cfmx (6) [RSS]
cfmythbusters (5) [RSS]
cfunited (8) [RSS]
charting (1) [RSS]
coldfusion meetup (14) [RSS]
coldfusion meetup events (99) [RSS]
community (9) [RSS]
connect (8) [RSS]
contributions (10) [RSS]
debugging (11) [RSS]
derby (6) [RSS]
dwmx (3) [RSS]
editors (8) [RSS]
faith (1) [RSS]
flex (3) [RSS]
fusionanalytics (2) [RSS]
fusiondebug (23) [RSS]
fusionreactor (24) [RSS]
general (43) [RSS]
hidden gems (3) [RSS]
homesite+ (2) [RSS]
ibatis (1) [RSS]
introduction (2) [RSS]
java (3) [RSS]
javascript (2) [RSS]
jdbc (6) [RSS]
keyboard shortcuts (4) [RSS]
logparser (1) [RSS]
logs (3) [RSS]
monitoring (24) [RSS]
mura (1) [RSS]
news (11) [RSS]
odbc (0) [RSS]
oo (1) [RSS]
orm (2) [RSS]
performance (9) [RSS]
personal (1) [RSS]
podcasts (4) [RSS]
railo (1) [RSS]
reporting (1) [RSS]
resource lists (21) [RSS]
scorpio (2) [RSS]
security (2) [RSS]
seefusion (7) [RSS]
speaking (57) [RSS]
spry (8) [RSS]
sql server (10) [RSS]
subversion (1) [RSS]
tips (21) [RSS]
tools (36) [RSS]
tools_resource_list_series (10) [RSS]
training (7) [RSS]
trivia (1) [RSS]
troubleshooting (30) [RSS]
tuning (10) [RSS]
ugtv (11) [RSS]
user groups (13) [RSS]
vista (2) [RSS]
web services (7) [RSS]
webcasts (3) [RSS]
writing (17) [RSS]
zeus (2) [RSS]

Things I'm Involved In

>

Contact me

Shelfari

Enter your email address to subscribe to this blog.

BlogCFC was created by Raymond Camden. This blog is running version 5.005.

Managed Hosting Services provided by