Having some major battles trying to get sessions to work neatly across
subdomains at the moment. We're using J2EE session management. I
implemented the advice in this blog post to ensure that a domain
cookie was set, rather than the default which is a cookie specific to
the subdomain;
http://www.coldfusionmuse.com/index.cfm/2006/7/28/sessions.and.subdomains
Then I noticed that a jsessionID cookie was still being set for the
subdomain and it was different to my domain cookie which had been set
on our main site, not the blog. So my next idea was to override the
subdomain cookie. Here's the code I ended up with:
=========
<cfapplication name="foo" sessionmanagement="yes"
sessiontimeout="#CreateTimeSpan(0,1,30,0)#"
applicationtimeout="#CreateTimeSpan(0,1,30,0)#" setclientcookies="no" /
>
<!--- handling session cookies ourselves --->
<cflock scope="Session" type="exclusive" timeout="30">
<cfif isDefined('cookie.jsessionID')>
<cfset session.sessionID=cookie.jsessionID />
<cfelse>
<cfcookie name="jsessionid" domain=".foo.com"
value="#session.sessionid#">
</cfif>
<cfcookie name="jsessionid" value="#session.sessionid#"><!--- set
explicitly for the subdomain since there doesn't be any way to stop cf
from setting this itself --->
</cflock>
=========
So now, I managed to get two cookies set with identical sessionIDs.
Woopee! Well, not quite.
Some of our blogs are private, so whoever visits it will need to enter
a password to get in. And the whole thing fails miserably there.
People try to log in, it logs them in successfully and then redirects
them to the blog and then they're not logged in any more.
To analyze the problem I cfmailed myself the session scope before
attempting to login, after the successful login and again after the
redirect. Here's what it looks like (simplified for clarity's sake)
======
Before Login:
-----------------
session.userid 1
session.sessionid ffffff
session.urltoken CFID=1&CFTOKEN=5&jsessionid=44444
======
After Successful Login (the login is successful here, because the
session.secure_blogIDs variable now exists)
------------------
session.userid 1
session.secure_blogIDs 1
session.sessionid ffffff
session.urltoken CFID=1&CFTOKEN=5&jsessionid=44455
======
After Redirect (note, secure_blogIDs variable disappears)
------------------
session.userid 1
session.sessionid ffffff
session.urltoken CFID=1&CFTOKEN=5&jsessionid=44466
As you can see, the session.urltoken keeps changing, though the
session.sessionID manages to stay the same. I've tried manually
setting the session.urltoken to ensure it is consistent as well.
Managed to do that, but the same problem still happens.
Does anyone have a better understanding of how these j2ee sessions
work? I'm just not having much luck with them and not finding any
useful information on the interwebs about it either.
Cheers,
Peter
--
You received this message because you are subscribed to the Google Groups
"cfaussie" group.
To post to this group, send email to cfaus...@googlegroups.com.
To unsubscribe from this group, send email to
cfaussie+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/cfaussie?hl=en.
