That actually makes some sense, quirky and crappy as it might be. When using IIS to set up website directories, you can't use the underscore in a header value. So, it seems likely that IE would reject the presence of the underscore in the domain portion of the URL and perform unpredictable hidden religious rituals with it.
Troy Jones P.S. Sorry, I said "makes sense" when what I really meant was "it figures"....... ___________________________________________________________________________________________ Troy Jones | Director of Technical Services | Dynapp Inc | 1-800-830-5192 ext. 603 | dynapp.com | facebook.com/dynapp -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mike Staver Sent: Monday, April 05, 2010 4:03 PM To: [email protected] Subject: RE: [ACFUG Discuss] Apache 2.2.15 & ColdFusion 8 Enterprise - Sessions not sticking I've found the cause of the sessions not sticking. Sadly, it appears to be a bug with IE 7. I don't have any other versions of IE here to try it on, since the govt agency I work for controls the desktops. I may try it from home tonight when I get bored to confirm all this. A few other notes about the set up here - under Apache, we require client certs in this manner: SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile "C:/some.cert.file.pem" SSLOptions +ExportCertData +StdEnvVars I also turn on a few extra options that I have listed above. None of that should have mattered in topic I asked about last week, but I just wanted to list everything. After a full week of trying different configurations, nothing worked. At the end of all the trial and error, the only difference between the two machines was the URL. I glossed over that initially because it shouldn't matter. Other than pointing to a different IP, the URL should have nothing to do with how ColdFusion handles session variables. Well, when it comes to internet explorer, you should assume nothing :) I had two urls similar to these: somesite.stuff.dom somesite_cf8.stuff.dom The only difference between my two sites at that point was the _cf8 in the second domain name. Yep, you guessed it - IE 7 refuses to keep sessions straight if your domain name has an underscore in it and you are using SSL. Dashes are fine, underscores are not. My bad I guess for thinking I could use one in the URL, apparently I should have used dashes. DOH! > Mike, I've not heard of the problem, but if I were in your shoes I'd be > looking at two things to help narrow down the cause/solution. > > First, have you tried making the request from another IE (on another > machine, I mean), just to rule out something up in your specific IE setup? > > Second, are you accessing the CFR Admin using the built-in web server port > (such as 8500 or 8300, or something like that), or via Apache (port 80)? > That may have an influence, and you may see a difference if you try one > versus the other. > > Finally, are you using "J2EE Sessions" (a setting on the CF Admin "Memory > Variables" page)? That may influence things. If you could try reversing > its > setting, again it may be interesting to hear. I realize you may not want > to > do that if this is a prod box and you don't know whether people are > specifically benefiting from J2EE sessions (if enabled) or would be hurt > by > enabling it (if it's currently disabled). > > BTW, I can't see how the "UUID for cftoken" would have an influence on > this > problem at all, as it only influences the kind of string created for the > CFTOKEN so shouldn't matter if it's transported via SSL or not (and if > you're using J2EE sessions, then it has no connection to sessions at all.) > > Hope something there's helpful. > > /charlie > > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf Of Mike Staver >> Sent: Wednesday, March 31, 2010 7:13 PM >> To: [email protected] >> Subject: [ACFUG Discuss] Apache 2.2.15 & ColdFusion 8 Enterprise - >> Sessions not sticking >> >> I have 2 ColdFusion 8 instances installed on Windows 2003. I'm running >> these websites under Apache 2.2.15, configured exactly the same way, >> other >> than domain names and IP addresses in the configs. The first box works >> as >> expected. I can log onto CF Admin over SSL, or any other website in my >> Apache config. The second machine started showing problems almost >> immediately after I installed ColdFusion. The last part of the install >> involves firing up a web browser at the default website and you then >> log >> into CF Admin. When I attempted this, no matter how many times I >> entered >> what I knew to be the correct password, I was not able to login. I >> then >> reset the password only to have the same issue. I then decided to try >> another web browser other than IE 7. Firefox 3.6.2 works fine. Back >> to >> IE - still no go. Frustrated, I turned off SSL. Oddly, I can now log >> into CF Admin. After some investigation, I have discovered that >> sessions >> are not sticking at all over SSL. I have eliminated specific certs as >> the >> problem, as I tried the certs from the other box and I still get the >> same >> result. For every web page I request from the server in IE over SSL, I >> get assigned a new token. It doesn't matter if I have the "Use UUID >> for >> cftoken" value set to true or false. Nothing works over SSL in IE. I >> have tried everything I can think of to address this, including >> resinstalling ColdFusion completely - obviously using the same >> installer >> and patch level from the other box. The only differences between these >> boxes again are the IP addresses and domain names. >> >> Please tell me somebody has seen this before and fixed it :) ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.437 / Virus Database: 271.1.1/2787 - Release Date: 04/05/10 06:32:00 ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
