Are you using the SAME database for storing Client Variables across all of the domains? (and not storing as cookie or in registry).
Just checking! *Peter Tilbrook* Web Administrator, The Club Group Pty. Ltd. Managing Director, ColdGen Internet Solutions Professional Adobe ColdFusion Application Development President, ACT and Region ColdFusion Users Group PO Box 2247 Queanbeyan, NSW, 2620 AUSTRALIA *Telephone:* +61-2-6104-9981 *Mobile:* +61-2-047-623-579 *Email Address:* peter.tilbr...@coldgen.com *WWW:* http://www.coldgen.com/ *Twitter:* @ColdGen *ABN:* 80 826 226 128 On 4 April 2014 18:48, Phil Rasmussen <ara...@gmail.com> wrote: > Hi Dmitry > > I have read over that article a few days back and unfortunately it hasn't > helped my problem. I'm also not entirely sure what she means with regards > to changing config settings for J2EE so i've responded to her to get > further information. > > Charlie i've been retesting with your suggestions today and tried a > variation of the cookie manual setting with the encodeValue set to true and > false, in addition to playing around with the domain mask as either ". > domain.com" or "*.domain.com" neither of which seem to work. I have > noticed using web inspector there on occasion appears to be 2 identical > JSESSIONID's getting set and sometimes one of them has a slight difference > in the encoding which is probably due to the fact I was mucking around with > these encodeValue settings and not clearing my existing cookies. Either way > I just cannot get the sessions to stick when jumping between subdomains and > I keep getting issued with a fresh JSESSIONID token. > > I'm wondering if there is a Tomcat config setting or something deeper to > help with this cross domain session management as I can't think of anything > else. > > Cheers > Phil > > > > On Thursday, 3 April 2014 14:53:13 UTC+10, Dmitry Yakhnov wrote: >> >> Hi Phil, >> >> This post seems to be pretty relevant to your problem: >> http://www.shilpikhariwal.com/2012/02/how-to-secure- >> coldfusion-session.html >> >> In the end it says: >> *Note: all these configurations we discussed are valid for CF session >> cookies and Authentication cookies. For JSESSIONID, one needs to make >> changes in server related configurations.* >> >> So probably direct edit of config files is involved. >> >> Cheers, >> Dmitry. >> >> On Thursday, 3 April 2014 09:26:13 UTC+11, Phil Rasmussen wrote: >>> >>> Hi Guys >>> >>> Just wondering if anyone has come across an issue in CF10 whereby >>> sessions are dropped when crossing between HTTP and HTTPS, even though the >>> JSESSIONID is being explicitly passed in these links which had worked for >>> us for over 5 years without fail prior to CF10. From what I have read there >>> appears to be a big change to address the Session Fixation security issues >>> which would explain the HTTP/HTTPS drops but I can't find a workaround for >>> this. >>> >>> Essentially we have CF10 installed with J2EE Session Management turned >>> on, and the default HTTPOnly set to true. In the application the domain >>> structure looks as follows: >>> >>> https://book.domain.com >>> http://profile.domain.com >>> http://approve.domain.com >>> >>> When crossing between the domains (which had worked for many years >>> prior) the session drops and CF issues a new set of session identifiers. In >>> order to try and bypass the SSL issue, i've switch the entire application >>> over the HTTPS so at no stage will the session or cookies be served over >>> HTTP, which works fine if the user doesn't cross domains, but the moment a >>> different subdomain is clicked (ie to make a booking) then the session >>> drops. >>> >>> Even setting a cookie in the onSessionStart() as follows has no effect: >>> >>> <cfcookie name="jsessionid" value="#session.sessionid#" domain=". >>> domain.com"> >>> >>> Has anyone come across this behaviour migrating to CF10? >>> >>> Cheers >>> Phil >>> >> -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cfaussie+unsubscr...@googlegroups.com. > To post to this group, send email to cfaussie@googlegroups.com. > Visit this group at http://groups.google.com/group/cfaussie. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
