> I think it was pretty clear that code he listed was being used solely to > diagnose a problem
Precisely. Its the production environment but not the production site. I'm testing with some old in-office desktops that mimic the problem reported to us by users when this site was live for roughly 24 hrs before I pulled it. > The best solution, in my opinion, is to switch to J2EE sessions, > assuming you can invest the time and effort to do that. Seeing as my efforts on this seem to be going nowhere (old browsers will occasionally start working but always revert after a TBD period of inactivity) that sounds like good advice. Working on that now. And its all happening on a CF-based site that has been humming along in its present form since 2006... all we did was make it prettier... re-skinned it with a different front end. And it still works fine for the majority of visitors. > Any chance you are using Chrome in Incognito mode? Nope. The only place I can replicate the issue is on IE8 running on XP. >Or maybe you have an add on that is killing cookies. That was my very first thought and I went straight to the design team who swore that we weren't doing anything genuinely different. Nonetheless we pulled a bunch of stuff out with no success. To finally clear that I wrote up the bare bones page (previous post) and it too is evidencing the problem. I'm in full control of the server and there's nothing server-side changed at the server level. BTW it is CF9 with all patches. On Fri, Mar 7, 2014 at 11:44 AM, Carl Von Stetten <[email protected]>wrote: > > I forgot about the persistence issue. Personally, I consider the lack > of session persistence to be a security benefit. But not everyone will > agree. > -Carl V. > > On 3/7/2014 11:17 AM, Dave Watts wrote: > > If you're not directly referencing CFID and CFTOKEN in your code, and > > you're not relying on the default persistence of CF session cookies, > > you should be able to just enable that option. > > > > By "the default persistence of CF session cookies", I mean that CF's > > session cookies by default don't get deleted when the browser is > > closed. J2EE session cookies do. So, if a user logs into your app, > > closes the browser, then opens it back up, the user will have to log > > in again if you're using J2EE sessions even if the session would not > > have expired otherwise. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357887 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
