Hi Guys Just wondering if anyone has come across an issue in CF10 whereby sessions are dropped when crossing between HTTP and HTTPS, even though the JSESSIONID is being explicitly passed in these links which had worked for us for over 5 years without fail prior to CF10. From what I have read there appears to be a big change to address the Session Fixation security issues which would explain the HTTP/HTTPS drops but I can't find a workaround for this.
Essentially we have CF10 installed with J2EE Session Management turned on, and the default HTTPOnly set to true. In the application the domain structure looks as follows: https://book.domain.com http://profile.domain.com http://approve.domain.com When crossing between the domains (which had worked for many years prior) the session drops and CF issues a new set of session identifiers. In order to try and bypass the SSL issue, i've switch the entire application over the HTTPS so at no stage will the session or cookies be served over HTTP, which works fine if the user doesn't cross domains, but the moment a different subdomain is clicked (ie to make a booking) then the session drops. Even setting a cookie in the onSessionStart() as follows has no effect: <cfcookie name="jsessionid" value="#session.sessionid#" domain=".domain.com"> Has anyone come across this behaviour migrating to CF10? Cheers Phil -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
