Hi Dmitry I have read over that article a few days back and unfortunately it hasn't helped my problem. I'm also not entirely sure what she means with regards to changing config settings for J2EE so i've responded to her to get further information.
Charlie i've been retesting with your suggestions today and tried a variation of the cookie manual setting with the encodeValue set to true and false, in addition to playing around with the domain mask as either ".domain.com" or "*.domain.com" neither of which seem to work. I have noticed using web inspector there on occasion appears to be 2 identical JSESSIONID's getting set and sometimes one of them has a slight difference in the encoding which is probably due to the fact I was mucking around with these encodeValue settings and not clearing my existing cookies. Either way I just cannot get the sessions to stick when jumping between subdomains and I keep getting issued with a fresh JSESSIONID token. I'm wondering if there is a Tomcat config setting or something deeper to help with this cross domain session management as I can't think of anything else. Cheers Phil On Thursday, 3 April 2014 14:53:13 UTC+10, Dmitry Yakhnov wrote: > > Hi Phil, > > This post seems to be pretty relevant to your problem: > http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusion-session.html > > In the end it says: > *Note: all these configurations we discussed are valid for CF session > cookies and Authentication cookies. For JSESSIONID, one needs to make > changes in server related configurations.* > > So probably direct edit of config files is involved. > > Cheers, > Dmitry. > > On Thursday, 3 April 2014 09:26:13 UTC+11, Phil Rasmussen wrote: >> >> Hi Guys >> >> Just wondering if anyone has come across an issue in CF10 whereby >> sessions are dropped when crossing between HTTP and HTTPS, even though the >> JSESSIONID is being explicitly passed in these links which had worked for >> us for over 5 years without fail prior to CF10. From what I have read there >> appears to be a big change to address the Session Fixation security issues >> which would explain the HTTP/HTTPS drops but I can't find a workaround for >> this. >> >> Essentially we have CF10 installed with J2EE Session Management turned >> on, and the default HTTPOnly set to true. In the application the domain >> structure looks as follows: >> >> https://book.domain.com >> http://profile.domain.com >> http://approve.domain.com >> >> When crossing between the domains (which had worked for many years prior) >> the session drops and CF issues a new set of session identifiers. In order >> to try and bypass the SSL issue, i've switch the entire application over >> the HTTPS so at no stage will the session or cookies be served over HTTP, >> which works fine if the user doesn't cross domains, but the moment a >> different subdomain is clicked (ie to make a booking) then the session >> drops. >> >> Even setting a cookie in the onSessionStart() as follows has no effect: >> >> <cfcookie name="jsessionid" value="#session.sessionid#" domain=". >> domain.com"> >> >> Has anyone come across this behaviour migrating to CF10? >> >> Cheers >> Phil >> > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
