> Opening a private browser window will always solve the problem. With that > in mind, whats the best way to reset cookies on session start? I am using > application.cfm. What could cause this? Underlying CF code from the > current site has barely changed.
The problem, I think, is related to changes in session management in recent releases of CF to prevent session fixation vulnerabilities, etc. You might have CFID/CFTOKEN cookies that have different domain attributes, and CF is looking at the wrong ones, if I recall correctly. Here's a workflow description from a guy who's smarter than me: - go to a site that uses restricted cookies: -> a cookie gets created (e.g. only valid for the path /admin); - visit a page on the same domain, but outside the restriction: -> browser doesn't send cookie; -> a new cookie gets created (valid for /); - go back to the restricted area: -> browser sends both cookies. The best solution, in my opinion, is to switch to J2EE sessions, assuming you can invest the time and effort to do that. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357877 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
