I know this is a frequent issue, but I could not find any solution to my current problem, as this seems to mainly occurs on CF8 and IE.
I have the following issue for any browser and on two servers, one running CF8, and the other CF10 (both under IIS)
Symptom : when cfid and cftoken are not written explicitly in the URL, we loose the session on our back office tool (new session.cfid and session.cftoken are generated, client variables are lost, but your session is still active on the server, you can check it by going to previous page and continue browsing on your previous session).
There is a roundabout : passing in all forms and links the session variables. This is what we have done for years. The matter is... our application now sends mail with direct url links to specific pages, and in these links, we do not have the session Ids, of course. So each time we follow one of these links, we have to re-log, despite our ongoing session.
The funny thing is that it happens on ~40% of PCs I've tried. If you have the bug on one browser, it happens on all browsers (tested : FF, Chrome, IE), and it happens at all attempts, it's not a random session loss. So I think it's rather a problem related to session cookie duration settings on the system, but I could not find such a global setting in Windows.
Our cfapplication settings : (session timeout is big in order to allow you not to re-log several times a day... in theory )
<cfapplication name="our_application" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes" sessiontimeout="#createtimespan(0,10,0,0)#" applicationtimeout="#createtimespan(0,0,1,0)#" clientstorage="cdata_name">
I tryed to set the settings to "Cookie" clientStorage, and it worked for session persistence... but I encountered other errors : it seems the number of client variables are limited wth this system, and some of them were not saved when set in the code.... Does not work better with clientstorage="Registry" settings (which is not reliable enough anyway).
After pulling out my hair on this during some days, I'm afraid I got no idea on how to solve it.
Any idea would be welcome.
Please check out this blog entry I wrote to see if any of the ideas suggested there work: http://www.petefreitag.com/item/815.cfm
Does the problem go away when the user clears their cookies? Switching to J2EE sessions may solve the problem for you, if that is an option.