Reputation: 635
Coldfusion 10 cross domain HTTPS session problems
Just wondering if anyone has come across an issue in CF10 whereby sessions are dropped when crossing between subdomains for the same Application under HTTPS, even though the JSESSIONID is being explicitly passed in these links which had worked for us for over 5 years without fail prior to CF10. From what I have read there appears to be a big change to address the Session Fixation security issues in CF10 which explains why the sessions would drop jumping between HTTP and HTTPS but this doesn't explain my issue. I understand the Session Fixation changes introduced in CF 9.02 and CF will definitely have an impact on our passing JSESSIONID via the URL, however this behaviour has been removed still the session is dropping.
Essentially we have CF10 installed with J2EE Session Management turned on, and the default HTTPOnly set to true. This is a single CF Application with the same Application name, setClientCookies is false and in the application the domain structure looks as follows:
https://book.domain.com
https://profile.domain.com
https://approve.domain.com
When crossing between the domains (which had worked for many years prior) the session drops and CF issues a new set of session identifiers.
Even setting a cookie in the onSessionStart() as follows has no effect:
<cfcookie name="jsessionid" value="#session.sessionid#" domain=".domain.com" secure="true">
Has anyone come across this behaviour migrating to CF10?
Cheers Phil
Upvotes: 3
Views: 1066
Answers (1)
Reputation: 635
So after playing around with a number of settings and ideas I now have the sessions behaving across the subdomains mentioned in my original question over HTTPS and using secure (browser based) cookies, thereby satisfying PCI-DSS Compliance requirements. All passing of JSESSIONID via the URL was removed from the system and the following lines added into the Application.cfc for both the constructors and the onSessionStart(). Note the setDomainCookies and setClientCookies set to false and the Domain specific sessioncookie settings below and also note in the onSessionStart my cookie being set without an expiry to ensure it only lasts for the duration of the browser, and the new CF10 encodeValue attribute to prevent strange encoding issues with the cookie values:
<cfcomponent hint="Application" output="false">
<cfscript>
// Application Settings
this.name = "myApplication";
this.applicationTimeout = createTimeSpan(0,2,0,0);
this.clientManagement = false;
this.loginStorage = "session";
this.sessionManagement = true;
this.sessionTimeout = createTimeSpan(0,1,0,0);
this.setClientCookies = false;
this.setDomainCookies = false;
// Domain specific settings for session persistence over subdomains
this.sessioncookie.domain = '.domain.com';
this.sessioncookie.httponly = true;
</cfscript>
<cffunction name="onSessionStart" returnType="void" output="false">
<cfcookie name="jsessionid" value="#session.sessionid#" secure="true" domain=".domain.com" encodeValue="false">
</cffunction>
</cfcomponent>
Upvotes: 2
Related Questions
- ColdFusion 10 CFCookie not honoring domain attribute
- Coldfusion cookie login
- coldfusion - managing cookies and log-in issue
- CFHTTP Cookie Issue
- Using Coldfusion sessions without cookies
- Losing session in Coldfusion
- coldfusion sessions dropped when initiated by a different domain
- Read Cross-Domain (Cross-Sub-Domain) Cookies in ColdFusion (HTTPS)
- Coldfusion Session Cookie
- Setting Secure cookies when HTTPS (for mixed HTTPS/HTTP site) with JRun/ColdFusion