I have created a bug report for this issue as well.
Please note I am using J2EE session variables so keep that in mind.
I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
Here's the problem:
Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
Steps to Reproduce:
1. Clear your cookies.
2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
Has anyone else experience this?