Following,  ColdFusion (2016 release) Update 10, the encryption / decryption  of url parameters we have used for the past 3 years is no longer working

We tried rolling back the update on one of our servers and this worked. As update 10 is a Critical update, we cannot roll back our production server farm.

Current encryption process which was deployed 2 or 3 years before:

1. Created AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
2. Encrypted the entire URL parameters with the AES secret key. (AES encryption)
3. Concatenated secret key and AES encrypted URL.
4. Encrypted the concatenated data again with “CFMX_COMPAT” algorithm using a defined password. (Second level of encryption).
5. Sent this data as URL string to the requested page.
6. On the requested page, we decrypt the data again in the reverse order.
7. Created URL parameters needed for that page from the decrypted data.

When we got the issue on Update 10, we investigated whether it was because of “CFMX_COMPAT” algorithm. So we removed the second level of encryption, but the issue was not solved.

Also the issue gets cleared when we refresh the page. So it is not related to encryption logic.

Could the issues be related to cache limit, or number of URL variables created or something related to URL scope?

We have had to remove encryption of urls on a number of pages to meet important business deadlines.  This was only possible because the url parameters are of a non sensitive nature and would not present a security issue if tampered with. However we have many other pages where this approach would not be possible as it would allow access to data from other users.

Any help in resolving the above would be much appreciated.