None = nooooooo. Try turning it on. ColdFusion under Java 101. Also update JRE to 1.7 update 51 On 04/04/2014 10:00 PM, "Phil Rasmussen" <ara...@gmail.com> wrote:
> Hey Peter. Not using Client Vars at all, it's set to storage = none in CF > Admin. Purely J2EE Session cookies so the persistence between subdomains > relies solely on the cookie which is where i'm stuck as none of my settings > appear to help with the persistence. > > On Friday, 4 April 2014 18:39:02 UTC+10, ColdGen Internet Solutions wrote: >> >> Are you using the SAME database for storing Client Variables across all >> of the domains? (and not storing as cookie or in registry). >> >> Just checking! >> >> >> >> *Peter Tilbrook* >> Web Administrator, The Club Group Pty. Ltd. >> Managing Director, ColdGen Internet Solutions >> Professional Adobe ColdFusion Application Development >> President, ACT and Region ColdFusion Users Group >> PO Box 2247 >> Queanbeyan, NSW, 2620 >> AUSTRALIA >> >> *Telephone:* +61-2-6104-9981 >> *Mobile:* +61-2-047-623-579 >> >> *Email Address:* peter.t...@coldgen.com >> *WWW:* http://www.coldgen.com/ >> *Twitter:* @ColdGen >> >> *ABN:* 80 826 226 128 >> >> >> On 4 April 2014 18:48, Phil Rasmussen <ara...@gmail.com> wrote: >> >>> Hi Dmitry >>> >>> I have read over that article a few days back and unfortunately it >>> hasn't helped my problem. I'm also not entirely sure what she means with >>> regards to changing config settings for J2EE so i've responded to her to >>> get further information. >>> >>> Charlie i've been retesting with your suggestions today and tried a >>> variation of the cookie manual setting with the encodeValue set to true and >>> false, in addition to playing around with the domain mask as either ". >>> domain.com" or "*.domain.com" neither of which seem to work. I have >>> noticed using web inspector there on occasion appears to be 2 identical >>> JSESSIONID's getting set and sometimes one of them has a slight difference >>> in the encoding which is probably due to the fact I was mucking around with >>> these encodeValue settings and not clearing my existing cookies. Either way >>> I just cannot get the sessions to stick when jumping between subdomains and >>> I keep getting issued with a fresh JSESSIONID token. >>> >>> I'm wondering if there is a Tomcat config setting or something deeper to >>> help with this cross domain session management as I can't think of anything >>> else. >>> >>> Cheers >>> Phil >>> >>> >>> >>> On Thursday, 3 April 2014 14:53:13 UTC+10, Dmitry Yakhnov wrote: >>>> >>>> Hi Phil, >>>> >>>> This post seems to be pretty relevant to your problem: >>>> http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusi >>>> on-session.html >>>> >>>> In the end it says: >>>> *Note: all these configurations we discussed are valid for CF session >>>> cookies and Authentication cookies. For JSESSIONID, one needs to make >>>> changes in server related configurations.* >>>> >>>> So probably direct edit of config files is involved. >>>> >>>> Cheers, >>>> Dmitry. >>>> >>>> On Thursday, 3 April 2014 09:26:13 UTC+11, Phil Rasmussen wrote: >>>>> >>>>> Hi Guys >>>>> >>>>> Just wondering if anyone has come across an issue in CF10 whereby >>>>> sessions are dropped when crossing between HTTP and HTTPS, even though the >>>>> JSESSIONID is being explicitly passed in these links which had worked for >>>>> us for over 5 years without fail prior to CF10. From what I have read >>>>> there >>>>> appears to be a big change to address the Session Fixation security issues >>>>> which would explain the HTTP/HTTPS drops but I can't find a workaround for >>>>> this. >>>>> >>>>> Essentially we have CF10 installed with J2EE Session Management turned >>>>> on, and the default HTTPOnly set to true. In the application the domain >>>>> structure looks as follows: >>>>> >>>>> https://book.domain.com >>>>> http://profile.domain.com >>>>> http://approve.domain.com >>>>> >>>>> When crossing between the domains (which had worked for many years >>>>> prior) the session drops and CF issues a new set of session identifiers. >>>>> In >>>>> order to try and bypass the SSL issue, i've switch the entire application >>>>> over the HTTPS so at no stage will the session or cookies be served over >>>>> HTTP, which works fine if the user doesn't cross domains, but the moment a >>>>> different subdomain is clicked (ie to make a booking) then the session >>>>> drops. >>>>> >>>>> Even setting a cookie in the onSessionStart() as follows has no >>>>> effect: >>>>> >>>>> <cfcookie name="jsessionid" value="#session.sessionid#" domain=". >>>>> domain.com"> >>>>> >>>>> Has anyone come across this behaviour migrating to CF10? >>>>> >>>>> Cheers >>>>> Phil >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "cfaussie" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cfaussie+u...@googlegroups.com. >>> To post to this group, send email to cfau...@googlegroups.com. >>> Visit this group at http://groups.google.com/group/cfaussie. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cfaussie+unsubscr...@googlegroups.com. > To post to this group, send email to cfaussie@googlegroups.com. > Visit this group at http://groups.google.com/group/cfaussie. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
