I've found the cause of the sessions not sticking. Sadly, it appears to be a bug with IE 7. I don't have any other versions of IE here to try it on, since the govt agency I work for controls the desktops. I may try it from home tonight when I get bored to confirm all this.
A few other notes about the set up here - under Apache, we require client certs in this manner: SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile "C:/some.cert.file.pem" SSLOptions +ExportCertData +StdEnvVars I also turn on a few extra options that I have listed above. None of that should have mattered in topic I asked about last week, but I just wanted to list everything. After a full week of trying different configurations, nothing worked. At the end of all the trial and error, the only difference between the two machines was the URL. I glossed over that initially because it shouldn't matter. Other than pointing to a different IP, the URL should have nothing to do with how ColdFusion handles session variables. Well, when it comes to internet explorer, you should assume nothing :) I had two urls similar to these: somesite.stuff.dom somesite_cf8.stuff.dom The only difference between my two sites at that point was the _cf8 in the second domain name. Yep, you guessed it - IE 7 refuses to keep sessions straight if your domain name has an underscore in it and you are using SSL. Dashes are fine, underscores are not. My bad I guess for thinking I could use one in the URL, apparently I should have used dashes. DOH! > Mike, I've not heard of the problem, but if I were in your shoes I'd be > looking at two things to help narrow down the cause/solution. > > First, have you tried making the request from another IE (on another > machine, I mean), just to rule out something up in your specific IE setup? > > Second, are you accessing the CFR Admin using the built-in web server port > (such as 8500 or 8300, or something like that), or via Apache (port 80)? > That may have an influence, and you may see a difference if you try one > versus the other. > > Finally, are you using "J2EE Sessions" (a setting on the CF Admin "Memory > Variables" page)? That may influence things. If you could try reversing > its > setting, again it may be interesting to hear. I realize you may not want > to > do that if this is a prod box and you don't know whether people are > specifically benefiting from J2EE sessions (if enabled) or would be hurt > by > enabling it (if it's currently disabled). > > BTW, I can't see how the "UUID for cftoken" would have an influence on > this > problem at all, as it only influences the kind of string created for the > CFTOKEN so shouldn't matter if it's transported via SSL or not (and if > you're using J2EE sessions, then it has no connection to sessions at all.) > > Hope something there's helpful. > > /charlie > > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf Of Mike Staver >> Sent: Wednesday, March 31, 2010 7:13 PM >> To: [email protected] >> Subject: [ACFUG Discuss] Apache 2.2.15 & ColdFusion 8 Enterprise - >> Sessions not sticking >> >> I have 2 ColdFusion 8 instances installed on Windows 2003. I'm running >> these websites under Apache 2.2.15, configured exactly the same way, >> other >> than domain names and IP addresses in the configs. The first box works >> as >> expected. I can log onto CF Admin over SSL, or any other website in my >> Apache config. The second machine started showing problems almost >> immediately after I installed ColdFusion. The last part of the install >> involves firing up a web browser at the default website and you then >> log >> into CF Admin. When I attempted this, no matter how many times I >> entered >> what I knew to be the correct password, I was not able to login. I >> then >> reset the password only to have the same issue. I then decided to try >> another web browser other than IE 7. Firefox 3.6.2 works fine. Back >> to >> IE - still no go. Frustrated, I turned off SSL. Oddly, I can now log >> into CF Admin. After some investigation, I have discovered that >> sessions >> are not sticking at all over SSL. I have eliminated specific certs as >> the >> problem, as I tried the certs from the other box and I still get the >> same >> result. For every web page I request from the server in IE over SSL, I >> get assigned a new token. It doesn't matter if I have the "Use UUID >> for >> cftoken" value set to true or false. Nothing works over SSL in IE. I >> have tried everything I can think of to address this, including >> resinstalling ColdFusion completely - obviously using the same >> installer >> and patch level from the other box. The only differences between these >> boxes again are the IP addresses and domain names. >> >> Please tell me somebody has seen this before and fixed it :) ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
