Not different servers Peter different sub domains Regards Dale Fraser
> On 4 Apr 2014, at 10:25 pm, "ColdGen Internet Solutions" > <coldgen.internet.soluti...@gmail.com> wrote: > > Make a database for client vars. Point all sites there. All servers should > share the same client storage source. ColdFusion should do the rest. > >> On 04/04/2014 10:00 PM, "Phil Rasmussen" <ara...@gmail.com> wrote: >> Hey Peter. Not using Client Vars at all, it's set to storage = none in CF >> Admin. Purely J2EE Session cookies so the persistence between subdomains >> relies solely on the cookie which is where i'm stuck as none of my settings >> appear to help with the persistence. >> >>> On Friday, 4 April 2014 18:39:02 UTC+10, ColdGen Internet Solutions wrote: >>> Are you using the SAME database for storing Client Variables across all of >>> the domains? (and not storing as cookie or in registry). >>> >>> Just checking! >>> >>> >>> >>> Peter Tilbrook >>> Web Administrator, The Club Group Pty. Ltd. >>> Managing Director, ColdGen Internet Solutions >>> Professional Adobe ColdFusion Application Development >>> President, ACT and Region ColdFusion Users Group >>> PO Box 2247 >>> Queanbeyan, NSW, 2620 >>> AUSTRALIA >>> >>> Telephone: +61-2-6104-9981 >>> Mobile: +61-2-047-623-579 >>> >>> Email Address: peter.t...@coldgen.com >>> WWW: http://www.coldgen.com/ >>> Twitter: @ColdGen >>> >>> ABN: 80 826 226 128 >>> >>> >>>> On 4 April 2014 18:48, Phil Rasmussen <ara...@gmail.com> wrote: >>>> Hi Dmitry >>>> >>>> I have read over that article a few days back and unfortunately it hasn't >>>> helped my problem. I'm also not entirely sure what she means with regards >>>> to changing config settings for J2EE so i've responded to her to get >>>> further information. >>>> >>>> Charlie i've been retesting with your suggestions today and tried a >>>> variation of the cookie manual setting with the encodeValue set to true >>>> and false, in addition to playing around with the domain mask as either >>>> ".domain.com" or "*.domain.com" neither of which seem to work. I have >>>> noticed using web inspector there on occasion appears to be 2 identical >>>> JSESSIONID's getting set and sometimes one of them has a slight difference >>>> in the encoding which is probably due to the fact I was mucking around >>>> with these encodeValue settings and not clearing my existing cookies. >>>> Either way I just cannot get the sessions to stick when jumping between >>>> subdomains and I keep getting issued with a fresh JSESSIONID token. >>>> >>>> I'm wondering if there is a Tomcat config setting or something deeper to >>>> help with this cross domain session management as I can't think of >>>> anything else. >>>> >>>> Cheers >>>> Phil >>>> >>>> >>>> >>>>> On Thursday, 3 April 2014 14:53:13 UTC+10, Dmitry Yakhnov wrote: >>>>> Hi Phil, >>>>> >>>>> This post seems to be pretty relevant to your problem: >>>>> http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusion-session.html >>>>> >>>>> In the end it says: >>>>> Note: all these configurations we discussed are valid for CF session >>>>> cookies and Authentication cookies. For JSESSIONID, one needs to make >>>>> changes in server related configurations. >>>>> >>>>> So probably direct edit of config files is involved. >>>>> >>>>> Cheers, >>>>> Dmitry. >>>>> >>>>>> On Thursday, 3 April 2014 09:26:13 UTC+11, Phil Rasmussen wrote: >>>>>> Hi Guys >>>>>> >>>>>> Just wondering if anyone has come across an issue in CF10 whereby >>>>>> sessions are dropped when crossing between HTTP and HTTPS, even though >>>>>> the JSESSIONID is being explicitly passed in these links which had >>>>>> worked for us for over 5 years without fail prior to CF10. From what I >>>>>> have read there appears to be a big change to address the Session >>>>>> Fixation security issues which would explain the HTTP/HTTPS drops but I >>>>>> can't find a workaround for this. >>>>>> >>>>>> Essentially we have CF10 installed with J2EE Session Management turned >>>>>> on, and the default HTTPOnly set to true. In the application the domain >>>>>> structure looks as follows: >>>>>> >>>>>> https://book.domain.com >>>>>> http://profile.domain.com >>>>>> http://approve.domain.com >>>>>> >>>>>> When crossing between the domains (which had worked for many years >>>>>> prior) the session drops and CF issues a new set of session identifiers. >>>>>> In order to try and bypass the SSL issue, i've switch the entire >>>>>> application over the HTTPS so at no stage will the session or cookies be >>>>>> served over HTTP, which works fine if the user doesn't cross domains, >>>>>> but the moment a different subdomain is clicked (ie to make a booking) >>>>>> then the session drops. >>>>>> >>>>>> Even setting a cookie in the onSessionStart() as follows has no effect: >>>>>> >>>>>> <cfcookie name="jsessionid" value="#session.sessionid#" >>>>>> domain=".domain.com"> >>>>>> >>>>>> Has anyone come across this behaviour migrating to CF10? >>>>>> >>>>>> Cheers >>>>>> Phil >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "cfaussie" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to cfaussie+u...@googlegroups.com. >>>> To post to this group, send email to cfau...@googlegroups.com. >>>> Visit this group at http://groups.google.com/group/cfaussie. >>>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "cfaussie" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cfaussie+unsubscr...@googlegroups.com. >> To post to this group, send email to cfaussie@googlegroups.com. >> Visit this group at http://groups.google.com/group/cfaussie. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cfaussie+unsubscr...@googlegroups.com. > To post to this group, send email to cfaussie@googlegroups.com. > Visit this group at http://groups.google.com/group/cfaussie. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.