Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411
On Thu, Apr 3, 2014 at 9:26 AM, Phil Rasmussen <ara...@gmail.com> wrote: > Hi Guys > > > When crossing between the domains (which had worked for many years prior) > the session drops and CF issues a new set of session identifiers. In order > to try and bypass the SSL issue, i've switch the entire application over > the HTTPS so at no stage will the session or cookies be served over HTTP, > which works fine if the user doesn't cross domains, but the moment a > different subdomain is clicked (ie to make a booking) then the session > drops. > > > This is expected behavior, at least that is what I believe. The problem is going to lie in your certificate and ColdFusion, but essentially it sounds like Adobe has closed a security hole. As the session should not persist from non secure to secure and back again, they should be seen as two different sessions. Imagine if someone hacked the non SSL site, they would then have all the information needed to get anything out of the SSL connection. I will admit to not having done too much with SSL, but from what I have done, I think the behavior you are now caught with is a closed security risk Adobe fixed in ColdFusion 10. But I am going from a serious lack of knowledge here. -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.