coldfusion sessions dropped when initiated by a different domain

Question

I've got a login page that's on one domain, and the application on another.

When I use the login from the separate domain, the session variables are not stored for the second domain, even though that is the domain that creates them.

To be clear, I'm not sharing sessions between the domains

login domain runs a script on the app domain, where the app creates a session variable. This variable is not being transferred when a redirect is called within the app domain.

If I call the script from the same domain, the session is stored as expected. Funny enough, this was working fine up until today. Some cf setting changed perhaps.

I've noticed that the CFID and CFTOKEN are being passed, is it possible that the session is written using the CFID and CFTOKEN from the referring website?

if so how can I prevent that?

Answer 1

You may override default session cookie behaviour by setting this.setclientcookies = false in Application.cfc, and issue your cfcookie's in Application.cfc's onSessionStart()

e.g.

<cfcomponent>
  <cfset this.sessionmanagement = true>
  <cfset this.setclientcookies = false>
  <cffunction name="onSessionStart">
      <cfcookie name="CFID" value="#session.cfid#" domain=".subdomain.domain.com">
      <cfcookie name="CFTOKEN" value="#session.cftoken#" domain=".subdomain.domain.com">
  </cffunction>
<cfcomponent>

While you're at it, it'd be a good idea to set the httpOnly attribute to true as well.