Hi Folks, This sounds a little like a sporadic but very frustrating issue that we have experienced. It is IE only and only with some users (we haven't been able to re-create it in house). We host multiple stand alone versions of our CMS / CRM application per server using CF 9 Professional which is pretty well patched. The behavior seems to be that sessions mysteriously reset. In some cases we have seen this with each page request. In some cases it seems to kick in when a page is forced into https (or our related use of wddx to store client variables). In some cases it seems to clear up when the user clears the cache in IE.
We had speculated that it might be related to security settings in IE or perhaps the way that IE handles caching, but we have yet to find a silver bullet(s). It has been very difficult to track down so we're interested in any information. I've searched a bit for info regarding the session fixation patch that Pete mentioned, but any more information about how that plays out in CF apps would be greatly appreciated. Thanks in advance, Nick > -----Original Message----- > From: Pete Freitag [mailto:p...@foundeo.com] > Sent: Thursday, December 15, 2011 11:53 AM > To: cf-talk > Subject: Re: One app kills another's session > > > Bryan, > > Are these apps running on the same domain or different domains, if they > are on the same domain then you will need to specify the path in your > session cookies so they don't invalidate each other (this relatively > new behavior due to the session fixation security hotfix > APSB11-04 released in Feb). > > Also if you are experiencing a cookie problem on one browser but not > another make sure you have cleared cookies first. > > -- > Pete Freitag - Adobe Community Professional http://foundeo.com/ - > ColdFusion Consulting & Products http://petefreitag.com/ - My Blog > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson > <br...@electricedgesystems.com> wrote: > > > > Hey All, > > > > Can't say that I've bumped into this before..... > > > > 1) 2 apps are involved and both use SESSION vars to store user > details > > once they login. > > > > 2) Both apps are set to setClientCookies in CFAPPLICATION > > > > 3) App 1 uses a standard login form where credentials are verified > and > > the SESSION vars are set if successful > > > > 4) App 2 uses Windows Integrated Authentication to grab the user's ID > > off the network and use that as part of the authentication process - > > when successful...SESSION vars are set as in app 1 > > > > 5) Both apps have a different name in CFAPPLICATION ;-) > > > > 6) both apps reside on the same server running CF 8 against Oracle > 10G > > > > Here's what happens on WinXP Pre SP 3 with IE 7: > > --------------------------------------------------------------------- > - > > ------------------------------ > > 1) Open new IE7 window and log in to app1 > > > > 2) Open new IE7 window and log in to app 2 > > > > 3) Go back to the browser with app 1 and try to navigate through app > - > > get kicked to session expired screen > > --------------------------------------------------------------------- > - > > ------------------------------ > > > > This was tested by another user on XP with IE8 and the issue did not > > occur. > > > > So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things > > to check....any ideas? > > > > TIA > > > > Cheers > > -- > > > > > > Bryan Stevenson B.Comm. > > VP & Director of E-Commerce Development Electric Edge Systems Group > > Inc. > > phone: 250.480.0642 > > fax: 250.480.1264 > > cell: 250.920.8830 > > e-mail: br...@electricedgesystems.com > > web: www.electricedgesystems.com > > > > Notice: > > This message, including any attachments, is confidential and may > > contain information that is privileged or exempt from disclosure. It > > is intended only for the person to whom it is addressed unless > > expressly authorized otherwise by the sender. If you are not an > > authorized recipient, please notify the sender immediately and > > permanently destroy all copies of this message and attachments. > > Please consider the environment before printing this e-mail > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349176 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
