Hi,

We are developing a portal on Liferay 6.0.6 and we have the need to integrate with 3rd party tools such as orbeon xforms. The problem is that while the user is filling an xform the liferay session is not extended. To solve that problem we manually call Liferay.Session.extend() from orbeon javascript. This works well on some boxes but we have a problem in prod environment: the session times out..

I think I found the cause of the problem but I am not completely convinced. While doing some javascript debugging, I found out that two cookies were created (LFR_SESSION_STATE). One was at /web context and the other was at web/mycommunity context. I also noticed this cookie get's created a 3rd time if accessing the control panel. This seem to be a big problem for us but for some reason I cannot explain, the problem does not happen on each environments. This is what I suspect is happening:

-The user logs in and he see the page at /web/mycommunity.
-A cookie is created at path /web and the javascript starts a timeout that will execute in 9 minutes (for a 10 minute session with 1 minute warning).
-The user click on a page and he is now at /web/mycommunity/mypage.
-A second cookie is creates at path /web/mycommunity.
-When the timeout created for cookie A executes, the elapsed time since last interaction is 9 minutes so the warning is displayed.
-The problem is that the last interaction occured a few seconds ago but was stored in the second cookie, the first one was not updated since creation.

Also for some reason it seem that only the second cookie is evaluated on my development box, but not on prod. I have found 2 possible solutions:
-Configure a virutal host
-Create an ext plugin that will override session.js as explained here http://java-liferay.blogspot.ca/2012/05/extending-liferays-session-by-ajax-call.html

Both solutions are far from ideal for us. The ext plugin is not suggested as per the liferay docs and the virtual host might not be possible when behind a load balancer. I have compared the session.js code from liferay 6.0.6 with 6.1 and this problem seem fixed in 6.1 and the cookie is set at the root path "/". Upgrading to 6.1 is not an option right now.

I wonder if having duplicate cookies is the regular behavior or is it a bug in 6.0 that was fixed in 6.1?

If this is a 6.0 bug, is there any other way to fix it other than using ext plugins or virutal hosts?

If it's not a bug, could it be a configuration issue? I have noticed we have configured all our pages under "public pages" but we give them access permissions that require a logged-in user. Could it be possible that liferay is having problems to handle private pages in a public context?

I have been having a similar problem, I think. We also use javascript to keep our sessions alive for users - but in our case it is because users in a particular community need longer timeouts than what is set as default for the server: 30 minutes (29+1) I can see two LFR_SESSION_USERID cookies being created - one at the root context ("/") and one at the web-content context. We are on Liferay version 5.2-ee-sp5. However, we are still getting users timing out even tho the javascript technique pings and rejuvenates the web-context session cookies every 28 minutes. After 30 minutes without fail, the session is closed. The user appears to still be logged in, but certain objects stored in the session are unavailable server-side and certain types of calls fail (specifically CISContentRetrieval).

Has anyone stepped up with information on this problem? It seems like maybe the javascript method of using a jquery ajax call to liferay's extend_session is only working for the web-content context session, and that the root context is expiring. Could that be right? If so, how do I get the extend_session call to update everywhere?

Micael, have you sorted this out?