As you know, client variables are keyed off of cfid and cftoken which MUST
be passed via cookie or url in order to maintain state. What you might not
know is that client variables are also keyed off of the application name (as
specified in <cfapplication...>). Make sure the application name is the
same for the http site and the https site and perhaps that will fix it.
+-----------------------------------------------+
Bryan Love
Database Analyst
Macromedia Certified Professional
Internet Application Developer
TeleCommunication Systems
[EMAIL PROTECTED]
+-----------------------------------------------+
"...'If there must be trouble, let it be in my day, that my child may have
peace'..."
- Thomas Paine, The American Crisis
"Let's Roll"
- Todd Beamer, Flight 93
-----Original Message-----
From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 28, 2003 7:26 AM
To: CF-Talk
Subject: Client variables and SSL problem
Hi folks,
I'm working with a client who has a legacy (read that as pretty poorly
written) ColdFusion 5 application and I'm experiencing some weirdness with
client-scoped variables when the protocol changes from http to https (which
it does somewhat randomly on their site).
Client variables hold the login information. Everything works fine for users
on the http portion of the site. Many users (NOT all -- some work fine) get
the "you are not a registered user, please login" which is triggered by the
absense of client variables when they move from the http portion of the site
to https.
The problem has gotten worse recently, which correlates with some changes I
have made. I enabled "setDomainCookies" since the site is moving to a
cluster. I moved the physical location of the client variable storage from
one MSSQL database (on the same box) to a dedicated database server -- I
copied the client variable storage database from the original to the new
machine. I've also renamed the underlying machine for the web site (again,
as part of the cluster rollout) and it's a Win2k box running Apache 1.3 and
OpenSSL (which is possibly relevant since SSL/https is where the issue
occurs).
Any ideas? I'm coming through the code archives to see if anything else
changed, but I'm puzzled. I honestly think there's some pretty bad code in
the whole security process, but the site was working more reliably in the
past so it can't simply be "the code is garbage".
Regards,
John Paul Ashenfelter
CTO/TransitionPoint
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community.
http://www.fusionauthority.com/ads.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
