Phil, A couple of things you can try if you haven't already.
1) Fully patch ColdFusion 10. 2) Make sure that the Connectors have been removed an re-added to the site in question. 3) Remove all connectors and make sure that any previous version of ColdFusion connectors have been removed. I did a quick Google search, and there is a variety of reasons. The main was is what Dale was stating, the others what I suggest above. http://forums.adobe.com/thread/1017340 http://stackoverflow.com/questions/15234605/coldfusion-sessions-dropped-when-initiated-by-a-different-domain I would give the Connector issue a go first, as this has had serious implications with CGI and other stuff when people have forgotten to remove and re-add the connectors. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Apr 7, 2014 at 10:26 AM, Phil Rasmussen <ara...@gmail.com> wrote: > Hi Dale thanks for the suggestion I had actually tried that and > unfortunately to no avail. > > I've tried setting the constructors as: > > this.sessioncookie.domain = '.domain.com'; > this.sessioncookie.httponly = true; > > I've also tried setting the cookie manually in the onSessionStart() as > follows: > > <cfcookie name="jsessionid" value="#session.sessionid#" secure="true" > domain=".domain.com" encodeValue="false"> > > Also to no avail which is frustrating as I can't see why this wouldn't > work. > > > On Monday, 7 April 2014 09:36:02 UTC+10, Dale Fraser wrote: > >> I asked already, but what is your domain setting in application.cfc? >> >> >> >> this['sessioncookie']['domain'] = '.#cgi.server_name#'; >> >> >> >> This sets cookies for the domain rather than sub domain. >> >> >> >> Regards >> >> Dale Fraser >> >> >> >> *From:* cfau...@googlegroups.com [mailto:cfau...@googlegroups.com] *On >> Behalf Of *Phil Rasmussen >> >> *Sent:* Monday, 7 April 2014 9:34 AM >> *To:* cfau...@googlegroups.com >> >> *Subject:* Re: [cfaussie] CF10 Cross Domain sessions with HTTPS >> >> >> >> Andrew I understand and completely agree with the crossing between HTTP / >> HTTPS and sessions dropping, however we have since switched the entire >> application over to HTTPS across all the subdomains and still have the same >> problem. >> >> >> >> I am basically trying to find a solution (any solution at this stage >> hopefully aside from passing session tokens in the URL) that will keep >> session persistence when jumping between the subdomains of the application. >> >> >> >> ie. https://profile.domain.com over to https://book.domain.com and back >> to https://profile.domain should not drop the session at any stage and >> this is what has me stumped as CF is continually issuing new session tokens >> when this happens. >> >> On Friday, 4 April 2014 22:04:10 UTC+10, Andrew Scott wrote: >> >> >> >> >> Regards, >> >> Andrew Scott >> >> WebSite: http://www.andyscott.id.au/ >> >> Google+: http://plus.google.com/113032480415921517411 >> >> >> >> >> >> On Thu, Apr 3, 2014 at 9:26 AM, Phil Rasmussen <ara...@gmail.com> wrote: >> >> Hi Guys >> >> >> >> >> >> When crossing between the domains (which had worked for many years prior) >> the session drops and CF issues a new set of session identifiers. In order >> to try and bypass the SSL issue, i've switch the entire application over >> the HTTPS so at no stage will the session or cookies be served over HTTP, >> which works fine if the user doesn't cross domains, but the moment a >> different subdomain is clicked (ie to make a booking) then the session >> drops. >> >> >> >> >> >> >> >> This is expected behavior, at least that is what I believe. The problem >> is going to lie in your certificate and ColdFusion, but essentially it >> sounds like Adobe has closed a security hole. As the session should not >> persist from non secure to secure and back again, they should be seen as >> two different sessions. >> >> >> >> Imagine if someone hacked the non SSL site, they would then have all the >> information needed to get anything out of the SSL connection. I will admit >> to not having done too much with SSL, but from what I have done, I think >> the behavior you are now caught with is a closed security risk Adobe fixed >> in ColdFusion 10. >> >> >> >> But I am going from a serious lack of knowledge here. >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "cfaussie" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cfaussie+u...@googlegroups.com. >> To post to this group, send email to cfau...@googlegroups.com. >> >> Visit this group at http://groups.google.com/group/cfaussie. >> For more options, visit https://groups.google.com/d/optout. >> >> -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cfaussie+unsubscr...@googlegroups.com. > To post to this group, send email to cfaussie@googlegroups.com. > Visit this group at http://groups.google.com/group/cfaussie. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
