Peter I haven't seen an application in 10 years that used Client Variables as the session storage option and I have no intention of changing a large and complex application over to a completely different form of session management when i've seen no clear answer from Adobe or otherwise as to why the same application (same application name) crossing between HTTPS subdomains should be dropping sessions. Our choice of J2EE Session management as opposed to CFID/CFTOKEN is to satisfy PCI-DSS auditing as is the full switch to HTTPS hence why i am pressing for options to carry this session across either via setting domain specific cookies for the JSESSIONID or any other method that may exist.
Hardly a Coldfusion 101 question. On Friday, 4 April 2014 21:32:45 UTC+10, ColdGen Internet Solutions wrote: > > None = nooooooo. Try turning it on. ColdFusion under Java 101. Also > update JRE to 1.7 update 51 > On 04/04/2014 10:00 PM, "Phil Rasmussen" <ara...@gmail.com <javascript:>> > wrote: > >> Hey Peter. Not using Client Vars at all, it's set to storage = none in CF >> Admin. Purely J2EE Session cookies so the persistence between subdomains >> relies solely on the cookie which is where i'm stuck as none of my settings >> appear to help with the persistence. >> >> On Friday, 4 April 2014 18:39:02 UTC+10, ColdGen Internet Solutions wrote: >>> >>> Are you using the SAME database for storing Client Variables across all >>> of the domains? (and not storing as cookie or in registry). >>> >>> Just checking! >>> >>> >>> >>> *Peter Tilbrook* >>> Web Administrator, The Club Group Pty. Ltd. >>> Managing Director, ColdGen Internet Solutions >>> Professional Adobe ColdFusion Application Development >>> President, ACT and Region ColdFusion Users Group >>> PO Box 2247 >>> Queanbeyan, NSW, 2620 >>> AUSTRALIA >>> >>> *Telephone:* +61-2-6104-9981 >>> *Mobile:* +61-2-047-623-579 >>> >>> *Email Address:* peter.t...@coldgen.com >>> *WWW:* http://www.coldgen.com/ >>> *Twitter:* @ColdGen >>> >>> *ABN:* 80 826 226 128 >>> >>> >>> On 4 April 2014 18:48, Phil Rasmussen <ara...@gmail.com> wrote: >>> >>>> Hi Dmitry >>>> >>>> I have read over that article a few days back and unfortunately it >>>> hasn't helped my problem. I'm also not entirely sure what she means with >>>> regards to changing config settings for J2EE so i've responded to her to >>>> get further information. >>>> >>>> Charlie i've been retesting with your suggestions today and tried a >>>> variation of the cookie manual setting with the encodeValue set to true >>>> and >>>> false, in addition to playing around with the domain mask as either ". >>>> domain.com" or "*.domain.com" neither of which seem to work. I have >>>> noticed using web inspector there on occasion appears to be 2 identical >>>> JSESSIONID's getting set and sometimes one of them has a slight difference >>>> in the encoding which is probably due to the fact I was mucking around >>>> with >>>> these encodeValue settings and not clearing my existing cookies. Either >>>> way >>>> I just cannot get the sessions to stick when jumping between subdomains >>>> and >>>> I keep getting issued with a fresh JSESSIONID token. >>>> >>>> I'm wondering if there is a Tomcat config setting or something deeper >>>> to help with this cross domain session management as I can't think of >>>> anything else. >>>> >>>> Cheers >>>> Phil >>>> >>>> >>>> >>>> On Thursday, 3 April 2014 14:53:13 UTC+10, Dmitry Yakhnov wrote: >>>>> >>>>> Hi Phil, >>>>> >>>>> This post seems to be pretty relevant to your problem: >>>>> http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusi >>>>> on-session.html >>>>> >>>>> In the end it says: >>>>> *Note: all these configurations we discussed are valid for CF session >>>>> cookies and Authentication cookies. For JSESSIONID, one needs to make >>>>> changes in server related configurations.* >>>>> >>>>> So probably direct edit of config files is involved. >>>>> >>>>> Cheers, >>>>> Dmitry. >>>>> >>>>> On Thursday, 3 April 2014 09:26:13 UTC+11, Phil Rasmussen wrote: >>>>>> >>>>>> Hi Guys >>>>>> >>>>>> Just wondering if anyone has come across an issue in CF10 whereby >>>>>> sessions are dropped when crossing between HTTP and HTTPS, even though >>>>>> the >>>>>> JSESSIONID is being explicitly passed in these links which had worked >>>>>> for >>>>>> us for over 5 years without fail prior to CF10. From what I have read >>>>>> there >>>>>> appears to be a big change to address the Session Fixation security >>>>>> issues >>>>>> which would explain the HTTP/HTTPS drops but I can't find a workaround >>>>>> for >>>>>> this. >>>>>> >>>>>> Essentially we have CF10 installed with J2EE Session Management >>>>>> turned on, and the default HTTPOnly set to true. In the application the >>>>>> domain structure looks as follows: >>>>>> >>>>>> https://book.domain.com >>>>>> http://profile.domain.com >>>>>> http://approve.domain.com >>>>>> >>>>>> When crossing between the domains (which had worked for many years >>>>>> prior) the session drops and CF issues a new set of session identifiers. >>>>>> In >>>>>> order to try and bypass the SSL issue, i've switch the entire >>>>>> application >>>>>> over the HTTPS so at no stage will the session or cookies be served over >>>>>> HTTP, which works fine if the user doesn't cross domains, but the moment >>>>>> a >>>>>> different subdomain is clicked (ie to make a booking) then the session >>>>>> drops. >>>>>> >>>>>> Even setting a cookie in the onSessionStart() as follows has no >>>>>> effect: >>>>>> >>>>>> <cfcookie name="jsessionid" value="#session.sessionid#" domain=". >>>>>> domain.com"> >>>>>> >>>>>> Has anyone come across this behaviour migrating to CF10? >>>>>> >>>>>> Cheers >>>>>> Phil >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "cfaussie" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cfaussie+u...@googlegroups.com. >>>> To post to this group, send email to cfau...@googlegroups.com. >>>> Visit this group at http://groups.google.com/group/cfaussie. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "cfaussie" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cfaussie+u...@googlegroups.com <javascript:>. >> To post to this group, send email to cfau...@googlegroups.com<javascript:> >> . >> Visit this group at http://groups.google.com/group/cfaussie. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
