Hi Phil, This post seems to be pretty relevant to your problem: http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusion-session.html
In the end it says: *Note: all these configurations we discussed are valid for CF session cookies and Authentication cookies. For JSESSIONID, one needs to make changes in server related configurations.* So probably direct edit of config files is involved. Cheers, Dmitry. On Thursday, 3 April 2014 09:26:13 UTC+11, Phil Rasmussen wrote: > > Hi Guys > > Just wondering if anyone has come across an issue in CF10 whereby sessions > are dropped when crossing between HTTP and HTTPS, even though the > JSESSIONID is being explicitly passed in these links which had worked for > us for over 5 years without fail prior to CF10. From what I have read there > appears to be a big change to address the Session Fixation security issues > which would explain the HTTP/HTTPS drops but I can't find a workaround for > this. > > Essentially we have CF10 installed with J2EE Session Management turned on, > and the default HTTPOnly set to true. In the application the domain > structure looks as follows: > > https://book.domain.com > http://profile.domain.com > http://approve.domain.com > > When crossing between the domains (which had worked for many years prior) > the session drops and CF issues a new set of session identifiers. In order > to try and bypass the SSL issue, i've switch the entire application over > the HTTPS so at no stage will the session or cookies be served over HTTP, > which works fine if the user doesn't cross domains, but the moment a > different subdomain is clicked (ie to make a booking) then the session > drops. > > Even setting a cookie in the onSessionStart() as follows has no effect: > > <cfcookie name="jsessionid" value="#session.sessionid#" domain=". > domain.com"> > > Has anyone come across this behaviour migrating to CF10? > > Cheers > Phil > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
