Skip navigation
tribule
Currently Being Moderated

Losing sessions after moving to CF10

Sep 16, 2013 9:17 AM

Tags: #session #jsessionid #cookie

Hi,

 

 

 

We recently moved an application from CF 7 to CF 10 and have since noticed that browsing to a non secure page (http) to a https page makes the server lose our log-in session. Our site has a log-in page, and this is served securely. When the user logs in they can access all other pages that securely link from that log-in page. But, as soon as they click on a non-secure page, the session is lost.

 

 

This is a clean CF 10 install, not an upgrade. Are there any known issues with sessions and HTTPS in CF10 that we should be aware of? I printed out the session/cookie scopes on each page and it seems we get a new JSESSIONID for http/https sites, even though they have the same domain.

 

 

 

Our cfapplication tag is defined as:

 

 

 

cfapplication name="ourSite" clientmanagement="yes" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0, 0, 20, 0)#" setclientcookies="yes" setdomaincookies="no" clientstorage="Cookie" scriptprotect="all"

 

 

 

Can anyone please shed some light on this? The domain is the same between http/https calls, so surely CF should be able to retrieve the cookie?

 

 

 

Thanks,

 

Mark

 
Replies
  • Currently Being Moderated
    Sep 17, 2013 11:57 AM   in reply to tribule

    I wonder if that's a browser issue.  There have been several ocassions where I had session info dropping (not related to SSL), and I was SURE it was related to CF, but then as a last ditch effort I had the user completely reset their browser settings back to default, and voila, no more session problems.  Just an idea.  Btw, when this was occuring, some users did not have the problem, and others did, so there was clearly something specific to the client.  Maybe yours is different.  You might also use a debugger like Firebug for Firefox to see everything going on in the HTTP calls.  Chrome and IE have bebuggers already, just hit F12 to enable them, but personally I like Firebug.

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 17, 2013 2:56 PM   in reply to tribule

    Did you try looking at the HTTP calls using a debugger?  Sometimes you will see things not normally visible to the eye, such as a redirect or something else happening that you weren't aware of or expecting in the transfer stream.  Of course, there are a ton of variables involved in this scenario so who knows.  I don't do anything between secure and non-secure URLs so maybe I'm not the right person to help you troubleshoot.

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 18, 2013 6:12 AM   in reply to tribule

    That's weird.  I just tested Firebug and Chrome's built-in debugger while my public site is in SSL mode, and I can see everything in the debug console fine, just like if it was in non-SSL mode.  Yeah, I guess you may have other issues, or the issue is with the code itself.  It's going to be hard to troublshoot any further unless you can offer us a public link to test your site, or provide some code or something.

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 18, 2013 7:54 AM   in reply to tribule

    A couple of things:  First, when you enable the J2EE session variables, ColdFusion does not use the CFToken or CFID cookie value.  Second, from a security point of view, the JSESSIONID changing itself between secure/non-secure URL is the correct behavior, because a attacker could steal the session id/cookie used in https if the same session id/cookie is used in http too.  The simplest solution is to use one or the other URL, in other words, make everything secure or not secure.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points