I suspect you could clear all cookies, ditch the onsession start code and it will still work.
Regards Dale Fraser From: cfaussie@googlegroups.com [mailto:cfaussie@googlegroups.com] On Behalf Of Phil Rasmussen Sent: Tuesday, 8 April 2014 12:48 PM To: cfaussie@googlegroups.com Subject: Re: [cfaussie] CF10 Cross Domain sessions with HTTPS Thanks Charlie Okay sorry if I didn't clarify further but I will post the final elements of my Application.cfc below: <cfcomponent hint="Application" output="false"> <cfscript> // Application Settings this.name = "myApplication"; this.applicationTimeout = createTimeSpan(0,2,0,0); this.clientManagement = false; this.loginStorage = "session"; this.sessionManagement = true; this.sessionTimeout = createTimeSpan(0,1,0,0); this.setClientCookies = false; this.setDomainCookies = false; // Domain specific settings for session persistence over subdomains this.sessioncookie.domain = '.domain.com'; this.sessioncookie.httponly = true; </cfscript> <cffunction name="onSessionStart" returnType="void" output="false"> <cfcookie name="jsessionid" value="#session.sessionid#" secure="true" domain=".domain.com" encodeValue="false"> </cffunction> </cfcomponent> So the differences were I used a combination of the this.sessioncookie.domain in the Application.cfc and the manual cookie creation for the JSESSIONID in the onSessionStart with the addition of the encodeValue attribute. I did have initial issues relating to a duplicate JSESSIONID cookie being created but with slightly different encoding which was solved using your encodeValue attribute suggestion and clearing all past cookies. After that I was still get issued with a new session when jumping between the HTTPS subdomains so lost for all options I included both the <cfcookie> creation in the onSessionStart() and the this.sessioncookie.domain setting in the constructor of the Application.cfc and after clearing all cookies again this worked and I subsequently tested in 4 other browsers to confirm this. I seems to be a combination of both that has resolved the issue and also allowed me to only create secure session based cookies for the duration of the browser which satisfies our PCI-DSS Compliance requirements as well. On Monday, 7 April 2014 21:37:31 UTC+10, charlie arehart wrote: Great to hear all is finally working for you, Phil. Can you clarify, then, what’s different from when you first posted here? In other words, what do you think made things finally “work”? You had showed already using the domain attribute in your original post, so that wasn’t it. Was it the clearing of cookies, perhaps? (That’s why I had made the point in my first reply about checking in a browser dev tool about duplicates.) Or was it maybe that the cookies you created looked different than you expected (which is why I’d mentioned the new encodvalue attribute). As I’d said, I’ve seen those both be key to problems like yours. But just to be sure, was there something else also? It may help others who hit this in the future. /charlie From: cfau...@googlegroups.com <javascript:> [mailto:cfau...@googlegroups.com <javascript:> ] On Behalf Of Phil Rasmussen Sent: Sunday, April 06, 2014 10:10 PM To: cfau...@googlegroups.com <javascript:> Subject: Re: [cfaussie] CF10 Cross Domain sessions with HTTPS Dale I've used a combination of the Application specific sessioncookies.domain and the manual cookie set in the onSessionStart and it appears to be working which is odd? Previously i had tried these settings independently thinking the combination was pointless but I've tried in 3 different browsers and the session token holds when crossing between sub-domains. I'm not complaining though! Good point about the cookies getting confused as I had seen that earlier with a very old non-domain scoped jsession cookie remaining dormant on the browser and causing a double up with the new domain specific cookie declaration. Everything appears to now be running over J2EE sessions with secure cookies, full HTTPS, and browser based cookies only which satisfies our PCI obligations. Thanks for your help everyone! -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com <mailto:cfaussie+unsubscr...@googlegroups.com> . To post to this group, send email to cfaussie@googlegroups.com <mailto:cfaussie@googlegroups.com> . Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.