You are wrong ColdFusion still uses them even with J2ee. J2ee is just a more secure method of tracking season.. The principal is the same On 04/04/2014 10:35 PM, "Dale Fraser" <d...@fraser.id.au> wrote:
> I think client variables died with cf5 > > Regards > Dale Fraser > > On 4 Apr 2014, at 10:32 pm, "ColdGen Internet Solutions" < > coldgen.internet.soluti...@gmail.com> wrote: > > None = nooooooo. Try turning it on. ColdFusion under Java 101. Also > update JRE to 1.7 update 51 > On 04/04/2014 10:00 PM, "Phil Rasmussen" <ara...@gmail.com> wrote: > >> Hey Peter. Not using Client Vars at all, it's set to storage = none in CF >> Admin. Purely J2EE Session cookies so the persistence between subdomains >> relies solely on the cookie which is where i'm stuck as none of my settings >> appear to help with the persistence. >> >> On Friday, 4 April 2014 18:39:02 UTC+10, ColdGen Internet Solutions wrote: >>> >>> Are you using the SAME database for storing Client Variables across all >>> of the domains? (and not storing as cookie or in registry). >>> >>> Just checking! >>> >>> >>> >>> *Peter Tilbrook* >>> Web Administrator, The Club Group Pty. Ltd. >>> Managing Director, ColdGen Internet Solutions >>> Professional Adobe ColdFusion Application Development >>> President, ACT and Region ColdFusion Users Group >>> PO Box 2247 >>> Queanbeyan, NSW, 2620 >>> AUSTRALIA >>> >>> *Telephone:* +61-2-6104-9981 >>> *Mobile:* +61-2-047-623-579 >>> >>> *Email Address:* peter.t...@coldgen.com >>> *WWW:* http://www.coldgen.com/ >>> *Twitter:* @ColdGen >>> >>> *ABN:* 80 826 226 128 >>> >>> >>> On 4 April 2014 18:48, Phil Rasmussen <ara...@gmail.com> wrote: >>> >>>> Hi Dmitry >>>> >>>> I have read over that article a few days back and unfortunately it >>>> hasn't helped my problem. I'm also not entirely sure what she means with >>>> regards to changing config settings for J2EE so i've responded to her to >>>> get further information. >>>> >>>> Charlie i've been retesting with your suggestions today and tried a >>>> variation of the cookie manual setting with the encodeValue set to true and >>>> false, in addition to playing around with the domain mask as either ". >>>> domain.com" or "*.domain.com" neither of which seem to work. I have >>>> noticed using web inspector there on occasion appears to be 2 identical >>>> JSESSIONID's getting set and sometimes one of them has a slight difference >>>> in the encoding which is probably due to the fact I was mucking around with >>>> these encodeValue settings and not clearing my existing cookies. Either way >>>> I just cannot get the sessions to stick when jumping between subdomains and >>>> I keep getting issued with a fresh JSESSIONID token. >>>> >>>> I'm wondering if there is a Tomcat config setting or something deeper >>>> to help with this cross domain session management as I can't think of >>>> anything else. >>>> >>>> Cheers >>>> Phil >>>> >>>> >>>> >>>> On Thursday, 3 April 2014 14:53:13 UTC+10, Dmitry Yakhnov wrote: >>>>> >>>>> Hi Phil, >>>>> >>>>> This post seems to be pretty relevant to your problem: >>>>> http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusi >>>>> on-session.html >>>>> >>>>> In the end it says: >>>>> *Note: all these configurations we discussed are valid for CF session >>>>> cookies and Authentication cookies. For JSESSIONID, one needs to make >>>>> changes in server related configurations.* >>>>> >>>>> So probably direct edit of config files is involved. >>>>> >>>>> Cheers, >>>>> Dmitry. >>>>> >>>>> On Thursday, 3 April 2014 09:26:13 UTC+11, Phil Rasmussen wrote: >>>>>> >>>>>> Hi Guys >>>>>> >>>>>> Just wondering if anyone has come across an issue in CF10 whereby >>>>>> sessions are dropped when crossing between HTTP and HTTPS, even though >>>>>> the >>>>>> JSESSIONID is being explicitly passed in these links which had worked for >>>>>> us for over 5 years without fail prior to CF10. From what I have read >>>>>> there >>>>>> appears to be a big change to address the Session Fixation security >>>>>> issues >>>>>> which would explain the HTTP/HTTPS drops but I can't find a workaround >>>>>> for >>>>>> this. >>>>>> >>>>>> Essentially we have CF10 installed with J2EE Session Management >>>>>> turned on, and the default HTTPOnly set to true. In the application the >>>>>> domain structure looks as follows: >>>>>> >>>>>> https://book.domain.com >>>>>> http://profile.domain.com >>>>>> http://approve.domain.com >>>>>> >>>>>> When crossing between the domains (which had worked for many years >>>>>> prior) the session drops and CF issues a new set of session identifiers. >>>>>> In >>>>>> order to try and bypass the SSL issue, i've switch the entire application >>>>>> over the HTTPS so at no stage will the session or cookies be served over >>>>>> HTTP, which works fine if the user doesn't cross domains, but the moment >>>>>> a >>>>>> different subdomain is clicked (ie to make a booking) then the session >>>>>> drops. >>>>>> >>>>>> Even setting a cookie in the onSessionStart() as follows has no >>>>>> effect: >>>>>> >>>>>> <cfcookie name="jsessionid" value="#session.sessionid#" domain=". >>>>>> domain.com"> >>>>>> >>>>>> Has anyone come across this behaviour migrating to CF10? >>>>>> >>>>>> Cheers >>>>>> Phil >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "cfaussie" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cfaussie+u...@googlegroups.com. >>>> To post to this group, send email to cfau...@googlegroups.com. >>>> Visit this group at http://groups.google.com/group/cfaussie. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "cfaussie" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cfaussie+unsubscr...@googlegroups.com. >> To post to this group, send email to cfaussie@googlegroups.com. >> Visit this group at http://groups.google.com/group/cfaussie. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cfaussie+unsubscr...@googlegroups.com. > To post to this group, send email to cfaussie@googlegroups.com. > Visit this group at http://groups.google.com/group/cfaussie. > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cfaussie+unsubscr...@googlegroups.com. > To post to this group, send email to cfaussie@googlegroups.com. > Visit this group at http://groups.google.com/group/cfaussie. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
