Thanks Charlie
Okay sorry if I didn't clarify further but I will post the final elements
of my Application.cfc below:
<cfcomponent hint="Application" output="false">
<cfscript>
// Application Settings
this.name = "myApplication";
this.applicationTimeout = createTimeSpan(0,2,0,0);
this.clientManagement = false;
this.loginStorage = "session";
this.sessionManagement = true;
this.sessionTimeout = createTimeSpan(0,1,0,0);
this.setClientCookies = false;
this.setDomainCookies = false;
// Domain specific settings for session persistence over subdomains
this.sessioncookie.domain = '.domain.com';
this.sessioncookie.httponly = true;
</cfscript>
<cffunction name="onSessionStart" returnType="void" output="false">
<cfcookie name="jsessionid" value="#session.sessionid#" secure="true"
domain=".domain.com" encodeValue="false"></cffunction>
</cfcomponent>
So the differences were I used a combination of the
this.sessioncookie.domain in the Application.cfc and the manual cookie
creation for the JSESSIONID in the onSessionStart with the addition of the
encodeValue attribute.
I did have initial issues relating to a duplicate JSESSIONID cookie being
created but with slightly different encoding which was solved using your
encodeValue attribute suggestion and clearing all past cookies. After that
I was still get issued with a new session when jumping between the HTTPS
subdomains so lost for all options I included both the <cfcookie> creation
in the onSessionStart() and the this.sessioncookie.domain setting in the
constructor of the Application.cfc and after clearing all cookies again
this worked and I subsequently tested in 4 other browsers to confirm this.
I seems to be a combination of both that has resolved the issue and also
allowed me to only create secure session based cookies for the duration of
the browser which satisfies our PCI-DSS Compliance requirements as well.
On Monday, 7 April 2014 21:37:31 UTC+10, charlie arehart wrote:
>
> Great to hear all is finally working for you, Phil.
>
> Can you clarify, then, what’s different from when you first posted here?
> In other words, what do you think made things finally “work”?
>
> You had showed already using the domain attribute in your original post,
> so that wasn’t it. Was it the clearing of cookies, perhaps? (That’s why I
> had made the point in my first reply about checking in a browser dev tool
> about duplicates.) Or was it maybe that the cookies you created looked
> different than you expected (which is why I’d mentioned the new encodvalue
> attribute). As I’d said, I’ve seen those both be key to problems like
> yours.
>
> But just to be sure, was there something else also? It may help others who
> hit this in the future.
>
> /charlie
>
> *From:* cfau...@googlegroups.com <javascript:> [mailto:
> cfau...@googlegroups.com <javascript:>] *On Behalf Of *Phil Rasmussen
> *Sent:* Sunday, April 06, 2014 10:10 PM
> *To:* cfau...@googlegroups.com <javascript:>
> *Subject:* Re: [cfaussie] CF10 Cross Domain sessions with HTTPS
>
>
>
> Dale I've used a combination of the Application specific
> sessioncookies.domain and the manual cookie set in the onSessionStart and
> it appears to be working which is odd? Previously i had tried these
> settings independently thinking the combination was pointless but I've
> tried in 3 different browsers and the session token holds when crossing
> between sub-domains. I'm not complaining though!
>
>
>
> Good point about the cookies getting confused as I had seen that earlier
> with a very old non-domain scoped jsession cookie remaining dormant on the
> browser and causing a double up with the new domain specific cookie
> declaration. Everything appears to now be running over J2EE sessions with
> secure cookies, full HTTPS, and browser based cookies only which satisfies
> our PCI obligations.
>
>
>
> Thanks for your help everyone!
>
--
You received this message because you are subscribed to the Google Groups
"cfaussie" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cfaussie+unsubscr...@googlegroups.com.
To post to this group, send email to cfaussie@googlegroups.com.
Visit this group at http://groups.google.com/group/cfaussie.
For more options, visit https://groups.google.com/d/optout.
