Migrated to CF2018 and having problems with sessions

Question

I recently migrated an app from CF2010 to CF2018 and we're having problems on sessions when a user logs in.

Adding some dumps and aborts I see that the session is successfully set on a valid login, but when using cflocation or cfheader it loses the session (application.cfc reruns onSessionStart). My application.cfc looks like:

this.applicationTimeout = createTimeSpan(0,8,0,0);
this.sessionmanagement = true;
this.clientmanagement = false;
this.sessiontimeout = createTimeSpan(0,0,20,0);
this.scriptProtect = "all";  
this.setClientCookies = true;
this.showDebugOutput = false;
this.enablecfoutputonly = false;

onSessionStart is pretty simple:

public void function onSessionStart() {
  lock scope="session" type="exclusive" timeout="10" {
    session.started = now();
    session.loggedIn = false;
  };
  lock scope="application" type="exclusive" timeout="5" {
    application.sessions = application.sessions + 1;
  };

  writeLog(file = "g-session-log", type = "information", application = "no", text = "session started:");
};

I can see the log file gain an entry when the login page is processed. In the server admin I have "Use J2EE session variables" and "Enable Session Variables" both checked. Cookie timeout is 1440, HTTPOnly is checked and "Disable updating ColdFusion internal cookies using ColdFusion tags/functions" is checked.

Answer 1

Found the issue - answering in case anyone else has this problem. In my onApplicationStart() I set an http and https siteroot. On <cflocation> called application.secureSiteRoot but because I was moving the SSL cert over for testing I had it set to http, not https. That prevented the cookies from being set.