Skip to main content
T
tribule
Legend
September 16, 2013
Question

Losing sessions after moving to CF10

  • September 16, 2013
  • 1 reply
  • 3957 views

Hi,

We recently moved an application from CF 7 to CF 10 and have since noticed that browsing to a non secure page (http) to a https page makes the server lose our log-in session. Our site has a log-in page, and this is served securely. When the user logs in they can access all other pages that securely link from that log-in page. But, as soon as they click on a non-secure page, the session is lost.

 

This is a clean CF 10 install, not an upgrade. Are there any known issues with sessions and HTTPS in CF10 that we should be aware of? I printed out the session/cookie scopes on each page and it seems we get a new JSESSIONID for http/https sites, even though they have the same domain.

 

Our cfapplication tag is defined as:

 

cfapplication name="ourSite" clientmanagement="yes" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0, 0, 20, 0)#" setclientcookies="yes" setdomaincookies="no" clientstorage="Cookie" scriptprotect="all"

Can anyone please shed some light on this? The domain is the same between http/https calls, so surely CF should be able to retrieve the cookie?

Thanks,

Mark

This topic has been closed for replies.

1 reply

T
tribuleAuthor
Legend
September 16, 2013

A quik finding. I took CFDUMP of the cookie scope and then copied the CFID and CFTOKEN in to URL parameters and passed them to secure pages, and they worked fine. Insecure pages still drop the session.

It seems ColdFusion 10 is not copying the CFID and CFTOKEN variables to the insecure pages. Anyone any ideas why, and how to resolve?

D
David-Smith
Participating Frequently
September 17, 2013

I wonder if that's a browser issue.  There have been several ocassions where I had session info dropping (not related to SSL), and I was SURE it was related to CF, but then as a last ditch effort I had the user completely reset their browser settings back to default, and voila, no more session problems.  Just an idea.  Btw, when this was occuring, some users did not have the problem, and others did, so there was clearly something specific to the client.  Maybe yours is different.  You might also use a debugger like Firebug for Firefox to see everything going on in the HTTP calls.  Chrome and IE have bebuggers already, just hit F12 to enable them, but personally I like Firebug.

T
tribuleAuthor
Legend
September 17, 2013

David, I tried resetting the browser as you said, but to no avail. I also tried five other different browsers; all the same issue. Something has changed in CF10 and it seems to be to do with CFIDs and sessions. I know that the CF Admin no longer allows multiple logins using the same user id, but something else has changed in CF10 to do with session management. I tried a JVM parameter that returns sessions to their CF 9 mode, but that did not work either.

What I found out was that if I went to the login page securely, all subsequent secure pages retained the session, but insecure ones would not. So, I just made the login page use a http:// link in the form submission method, and that overcomes the issue since all subsequent pages are then http:// links. The solution seems to be make ALL pages served as either http:// or https://. Pages that are secure and post successively to other secure pages are fine, e.g. our e-commerce payment pages.

Very strange this, and no still no definitive workaround or response from Adobe. A cookie with the same domain should be served irrespective of the page being http:// or https://, indeed my own test pages show the same cookie is served in both cases.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices