On Tue, Mar 11, 2014 at 11:52 AM, Dave Watts wrote: > No, I think you should only have the one cookie for jsessionid. I'm > not sure why you have the other two. >
As you can imagine I did some reading on jsession vars after I opened up this thread. Look at the comparison table here: http://goo.gl/Hsxvaa also referenced in the table here http://goo.gl/GFJfx3 If you use one of the urltokens you are going to still see CFID and CFToken. Sounds like Nick is describing my exact problem, inconsistencies and all. I frankly wound up throwing everything against the wall I could think of. Rolling the site back was not an option given SEO issues that had already gone into motion. I'm about to call the site functional based on a few days of solidity, at which point I'll begin removing a piece at a time to try and see when the behavior reverts again (which is maddeningly difficult given the inconsistent client behavior). Steps taken: - Adjusted the JVM to remove session fixation protection - Switched on J2EE sessions - For the area where session must be maintained, client.urltoken passed via the url (!) - setdomaincookies=yes in cfapplication statement - cookies wiped per code similar to the 3rd post in this thread, in OnRequestEnd.cfm. I'm going after (expires=now) domain cookies expressly in that code. I am naturally not happy with the use of client.urltoken in the url but those pages are behind a form post. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357971 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
