CFID & CFTOKEN

Similar Messages

• Cfid & cftoken keep resetting everytime time the page refreshes!!!!

  I need some assistance.  I have setup several CF applications and never had any issues with session/application management.  However this time around every time I refresh the page it gives me a new cfid and cftoken.  Obviously it won't allow me to keep my session and I get redirected to the log in page.  Here is how I am setting up my application.  Does anyone see any issues with this?
  <cfscript>
  This.name = 'ApplicationName';
  this.clientmanagement="no";
  This.sessionManagement = "yes";
  This.applicationtimeout = CreateTimeSpan(0,1,0,0);
  This.sessionTimeout = CreateTimeSpan(0,0,20,0);
  This.scriptProtect="All";
  This.setclientcookies = "no";
  This.setdomaincookies = "no";
  </cfscript>
  Side question, when is the cfid and cftoken suppose to change?  When I land on the page for the first time before I log in the cfid & cftoken get set.  That will be the same cfid & cftoken for the full session.  Then the cfid & cftoken gets dropped once the application has timed out?  (maybe a dumb question...)
  Please Help!!!

  If you setclientcookies to be FALSE ("no", whatever), then you need to deal with the CFID & CFTOKEN values yourself (generally by passing them on every URL in your site.  Which is a right PitA.
  Are you sure you meant to set it to FALSE?
  Adam

• CFID & CFTOKEN added to URL by CF

  CF automatically appends CFID & CFTOKEN to the URL when
  using <div <span with id = a variable.
  They are not appended when a constant is used.
  I do not want these to be displayed unless I append them
  myself.
  Is this a CF bug, or can I change my code somehow?
  I display a variable number of rows, so using a constant is
  not a solution.
  And, I use client and session variables throughout my app.
  Please help me. Thanks a bunch.
  <cfapplication name="myApp" sessiontimeout="20"
  sessionmanagement="Yes"
  setclientcookies="Yes" clientmanagement="Yes">
  This is BAD ...
  URL with the following code:
  abc/action.cfm?CFID=1851&CFTOKEN=76141078
  <div id="#style#">
  <span id="#style#"
  onclick="location.href='abc/action.cfm'">
  <table><tr><td>info</td></tr></table>
  </span>
  </div>
  This is GOOD ...
  URL with the following code: abc/action.cfm
  <div id="1001">
  <span id="1001"
  onclick="location.href='abc/action.cfm'">
  <table><tr><td>info</td></tr></table>
  </span>
  </div>

  Greetings Steve and other URLSessionFormat fans.
  The remote file of a XMLHttp request (Spry) among other
  things is trying to set two sessions.variables.
  I have been told that if the remote file doesn't know the
  session CFID & CFTOKEN the new session variables wil not be
  recognized, and to avoid that I should use URLSessionFormat.
  Now, my original Spry request look like this:
  var request_URL
  ="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
  Spry.Utils.loadURL("GET", request_URL, false, authBack);
  which returns values as expected but does not set the session
  variables, so I combine it with URLSessionFormat, like this:
  var request_URL =
  '#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
  The variable "request_URL" will render:
  "/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
  which causes Spry to catch an exception while loading the url
  and the request fails altogether.
  Please note the " ; " semicolumn sign between the filename
  "authenticate.cfm" and "jsessionid=" which is not like
  CF7.1 example
  "myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
  found in livedocs.
  Is either my code, macromedia example, or both wrong?
  Or maybe it needs some tweaking and fixing to replace the
  semicolumn and put the question mark in the right place?
  Pulling quite a few hair here. Thanks for helping.

• Missing session variables and multiple CFID/CFTOKEN

  We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.
  Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions.  We have put troubleshooting measures in place that display values when this occurs.
  We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next).  These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers.  In most instances, if the user switches browsers, the same application works fine for them.
  In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”.  If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.
  When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag.  ** We do not prefer to do this for security reasons.
  Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?

  My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.
  Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.
  Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.
  Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.
  The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.
  1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.
  2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.
  3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions.

• Viewing active sessions (cfid/cftoken or J2EE sessionid)?

  Hello... is it possible to view the active sessions, whether cfid/cftoken or the J2EE sessionid for any given site on my server? I believe you can store client variables in a datasource, but I don't believe you can do this with the cfid/cftoken or J2EE sessionid correct? I'd really like to be able to query these values. I'm using CF 7.02 now but will be moving to CF 9, so if it's a feature there that'd be great.

  You can do it per application... but I'm not sure if there's a way of pulling out all the applications running on a given server.  The last time I looked for that sort of thing, I seem to recall not finding it (that's not to say it's not there: I just couldn't find it!).
  But for all sessions within an application: do a google on "cf sessiontracker".  Various people have blogged about how to do what you need (if not exactly what you need, then enough to get you going in the right direction).
  I thought I had some sample code that demonstrates it, but I don't :-(
  Adam

• JSessionID, CFId/CFToken-Which is predictable?

  I have results from our the new and improved PCI scan and it
  comes up with one Medium risk vuln.
  Description: The remote web application is using predictable
  cookie-based session IDs. Ideally, session IDs are randomly
  generated numbers that cannot be guessed by attackers. If the
  session ID is predictable, an attacker could hijack an active
  victim's session, allowing the attacker to interact with the server
  as though they were the victim. If the session ID is used to track
  the state of authentication, the session ID of an authenticated
  user could be guessed, bypassing any need for a username or
  password. In the case of this server, the session ID was found to
  have an insignificant number of changes between session IDs, which
  makes guessing very easy.
  Remediation: The software needs to be either configured or
  modified to generate random session IDs.
  I currently have enabled
  Use J2EE session variables
  Assuming I'm getting flagged because of cfid/cftoken
  predictablility I've setClientCookies = "no" and
  clientmanagement="no" and restarted the service and everything
  seems to be working with jsessionids alone... are there any
  pitfalls to watch out with not using cfid/cftoken?
  basic question before I pay for another scan is:
  I was under the impression that jsessionids were the most
  secure and a better alternative than cfid/cftoken. Is that not the
  case?
  EDIT: The scan occurred before I made the client variable
  changes to the applicaiton.cfm (so I had both jsessionid and
  cfid/cftoken being set) As of now only jsessionid is being set

  based on what OWASP has to say
  OWASP says
  "Best practice calls for J2EE session management. In the
  event that only ColdFusion session management is available, strong
  security identifiers must be used. Enable this setting to change
  the default 8-character CFToken security token string to a UUID.
  http://www.owasp.org/index.php/Configuration"
  It looks like the J2EE sessions are the way to go.
  I believe the reason for the PCI flag is that the scan (at
  least the one from the service we use) was looking at CFID alone. I
  assume this because cftoken -was- set to use uuid so it should have
  been secure. The scan probably doesn't know that cfid and cftoken
  are used in conjunction. So in a way this is a false positive.
  Based on the new standards coming in it is enough to be out of
  compliance.
  solution to be in compliance is to set clientmanagement="no"
  and setclientcookies="no" in application.cfm so that cfid and
  cftoken are not set at all By using only the jsessionid, you are
  following best practices from OWASP and also get the benefits of
  session end on browser close
  Other thoughts still welcome

• Adoption of CFID/CFTOKEN from request for new session

  Hi
  We've noticed that ColdFusion automatically uses CFID/CFTOKEN
  from the request, if there's no session available for this token
  combination and ColdFusion creates a new session. Is there a way to
  tell ColdFusion that it shouldn't use the values from the request
  but generate a pair of its own?
  Regards
  Sargon

  10.12 is the latest and greatest SW version for the device (from mid-2010). 
  I'm sad to say, but this device model has been out of production already for a long while and no new SW releases can be expected. Also some of the things you listed are such, which would not even be fixable by new SW version, but would require other changes.
  you could probably try updating e.g. the browser app to a newer version via http://download.browser.ovi.com.
  http://www.microsoft.com/en/mobile/nokia-x-updates/
  http://www.microsoft.com/en/mobile/nokia-x2-update/
  http://www.microsoft.com/en/mobile/asha-software-update/
  http://www.microsoft.com/en/mobile/support/software-update/wp8-software-update/
  http://www.developer.nokia.com/Community/Wiki/Nokia_firmware_change_logs
  https://twitter.com/LumiaSWUpdates

• CFID/CFTOKEN in URL Not Used

  Hi, What I have is a website that uses a shared ssl site. Here is what happens
  They are at the main site.: http://www.mysite.com/
  They add a couple items to their cart
  They enter the secure site to checkout: https://securesite.com/mysite/?cfid=1234&cftoken=5678
  I check to see if they have items in their cart, if they don't, I kick them out of checkout
  Sometimes this works just find and the session is recognized and I can see the items.
  Other times it kicks back out and the session isn't recognized.
  When I examine the cookies I can see that the secure site wrote its own cfid and cftoken values and is not using the ones passed through the URL.
  If I delete those cookies and try again it works great
  Is there a reason its not using the URL values, is there a way to force it to use the ones I pass in? Please let me know if there is a setting or something I should do.
  First noticed this in Firefox and its also recently gone from CF8 to CF9.
  Thanks!!

  Hey there,
  the feature is named "Browse By Name" and is removed in current FF 4 version.
  Here are some links to solution(s), most posted here at mozilla support:
  http://support.mozilla.com/en-US/questions/790755
  http://support.mozilla.com/en-US/questions/779034
  http://kb.mozillazine.org/Location_Bar_search
  https://support.mozilla.com/en-US/questions/791854
  - also check the keyboard shortcut to automatically add www. and .com/.net/.org irrespectively to Browse By Name activated or not.
  Alternatively you can instal the add-on:
  https://addons.mozilla.org/en-US/firefox/addon/browse-by-name/
  Cheers.

• CFID CFTOKEN URL 404 ERROR

  We have a program that was wrote by a programmer whom is no longer with us.  When I go to log in to the program for the first time, after I put in my username and password and hit sign in I receive a "404 - File or directory not found error."  All I do is hit the back button and login again and it logs me in just fine.  I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL.  When I'm able to login successfully it just takes me straight to index.cfm
  Can anyone tell me why its doing this and how to fix it?  Its just annoying to have to login twice everytime.  Thanks

  codyw725 wrote:
    I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL.  When I'm able to login successfully it just takes me straight to index.cfm
  There are potentially 4 URLs involved here:
  The URL to which the CFID and CFToken are appended;
  The action page of the login form (Look into the code);
  The page to which the user is sent when the login fails;
  The index.cfm page.
  It would be of interest to know whether 1. and 2., or whether 1. and 3., refer to the same page.

• Problem with Sessions & CFID Changing Unexpectedly

  MY SETUP...
  ColdFusion version 8.01 Standard
  Hotfix version hf801-00002.jar 
  Java version 1.6.0_04
  server OS Windows 2008 Enterprise 32bit
  webserver IIS 7.0.6
  database MySql 5.0.67
  THE PROBLEM
  For some visitors, every page on the website gives them a new CFID/CFTOKEN. I tried to narrow it down to a particular browser, but it's happening in every browser. It's only happening for some people. It was happening to me, then it stopped. Not sure what I did to fix it, but it's still happening to others.
  I'm using CFID/CFTOKEN (or more recently, a random number stored in a session.variable) as their temporary ID when they add something to their shopping cart. Problem is, when the CFID or session value changes, the items in their cart are no longer associated with them anymore - their cart appears to be empty at that point.
  For the love of God, what is causing the CFID and Session variables to change on every page? I am storing the client global variables in a MySql table which was setup by CF Administrator and appears to be working properly.
  Lastly, this site has been working fine for years, all of the sudden after some PCI Compliance conformity and CF Patches, this problem arose, so I want to blame it on the patches, but I'm not sure.
  Has anyone else ever had this problem? How did you fix it?

  It can also be (and will always be caused) by any user who's browser (or any part of the connection) does not maintain the cookies.
  If the request does not contain a cookie with currently valid cfid|cftoken and|or cfsessionid values, ColdFusion will generate new ones.  This can be cause by security settings in the browser, OS, firewall, proxy etc.
  This has become an increasingly rare issue in modern Internet computing, but it was a fairly common back in the day when cookies where a new idea.

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• Domain name and  session

  Hi ,
  We have deployed our application on tomcat server built on struts framework.
  We have also set the domain name and are redirecting the domain name to Static Ip
  where our application is deployed with URL Masking option enabled.
  Everything is working fine in Firefox.But in IE6 and IE7 we are facing issues related to sessions.
  Example:
  it works when we access directly
  http://156.78.78.89:8000/myapp/login.do?method=display
       when i redirect this with a domain name(with URL masking enabled) like
       http://www.mydomain.com It does not work.
       I am not able to login into application(using sessions of this) or use shopping cart(using cookies)
  Cookies are getting disabled and there is no session maintainance.
  Is it problem with struts config or tomcat server?
  I am unable to take my application live because of this issue.
  Please help me to solve. Thank you for your time and consideration
  email:[email protected]

  Hi BKBK,
  I'm using CF10 and aplicaction.cfc
  <!--- Define the application settings. --->
  <cfset THIS.name= "GuarderiasGMX2"/>
  <cfset THIS.applicationTimeout = createTimeSpan( 0, 1, 0, 0 ) />
  <cfset THIS.sessionManagement = true />
  <cfset THIS.sessionTimeout = createTimeSpan( 0, 1, 0, 0 ) />
  I don't use cookies to set the session. I only use cfcookie for kill the session on the application.cfc when the user sign out.
  <cffunction
  name="onRequestStart"
  access="public"
  returntype="boolean"
  output="false"
  hint="I initialize the page request.">
  <!--- Define the local scope.--->
  <cfset var local = {} />
  <!--- --------------------------------------------- --->
  <!--- --------------------------------------------- --->
  <!---
  Check to see if we killed the session timeout in the
  psuedo constructor. If we did, we can / should now
  kill the cookies for the current session and then
  redirect such that the user can get their new session.
  --->
  <cfif structKeyExists( url, "killSession" )>
  <!---
  Clear all of the session cookies. This will
  expire them on the user's computer when the
  CFLocation executes.
  --->
  <cfloop
  index="local.cookieName"
  list="cfid,cftoken,cfmagic">
  <!--- Expire this session cookie. --->
  <cfcookie
  name="#local.cookieName#"
  value=""
  expires="now"
  />
  </cfloop>
  <!---
  Redirect back to the primary page (so that we dont
  have the killSession URL parameter visible).
  --->
  <cflocation
  url="index.cfm"
  addtoken="false"
  />
  </cfif>
  Regards

• How to pass session variables via the URL in CF10?

  Hi
  I have a client with some old Flash functionality (AS2). The SWF allows the user to upload an image. However a new session is being started when the upload script is called. I have added the CFID, CFTOKEN and JSESSIONID to the URL as I did in the past to maintain the session but I believe you cannot do this anymore with CF10, if this is correct can anyone point me in the right direction of how I would accomplish maintaining the session for the upload?
  This has a note about CF 10 - http://forums.adobe.com/thread/1178420
  Kind regards
  Shaun

  Hi Shaun
  Are you facing the same issue with all the browsers?
  Thanks
  VJ

• Cfapplication troubleshooting help

  A little help for a rusty CF programmer. It's been a while
  since I created a site using CF (2 yrs.) and am currently working
  on a new project, where I thought I could just snag a bunch of code
  from an old site I did that was very similar. I'm on a register.com
  server running CF5. I'm not completely sure they've made the DSN
  connection in CF Admin yet, since I haven't received an email
  confirmation, but I was testing the site today to see if at least
  the CF5 service was running yet.
  Here's the error:
  Error Diagnostic Information
  An error has occurred while processing the expression:
  session.auth=CFTempOnlyForSetVariableNeverUseThisNameInYourCFMLCode122333444455555654321
  Error near line 1, column 1.
  Attempt to access a Session variable when session management
  is not enabled. Use the CFAPPLICATION tag to enable session
  management.
  Note: This feature may have been disabled by the site
  administrator.
  The error occurred while processing an element with a general
  identifier of (CFPARAM), occupying document position (8:1) to
  (8:45).
  Date/Time: 06/22/07 09:47:58
  Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
  rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4[/h]
  Here is what my application.cfm code looks like:
  <!--- security measures. set logged in to default no
  --->
  <CFPARAM name="session.auth" DEFAULT="FALSE">
  <!--- Application parameters defined --->
  <CFAPPLICATION name="js2" clientmanagement="Yes"
  sessionmanagement="Yes" sessiontimeout="#CreateTimeSpan(0,1,0,0)#"
  applicationtimeout="#CreateTimeSpan(0,1,0,0)#">
  <!--- session timeout has been set for 1 hours,
  application timeout has been set for 1 hour --->
  <!--- set certain variables --->
  <CFSET Application.DSN = "js2">
  <cflock name="quickLock" timeout="20"
  throwontimeout="yes">
  <cfif NOT IsDefined("session.rollcount")>
  <cfset session.rollcount = 1>
  <cfcookie name="isOn" value="Testing">
  <cfset application.addToken =
  "cfid=#Client.cfid#&cftoken=#client.cftoken#">
  <cfelse>
  <!--- check to see if cookies are on. If not, make a
  query string variable with the CFID and CFTOKEN variables --->
  <cfset application.addToken = IIF(NOT
  IsDefined("cookie.isOn"),
  DE("cfid=#client.cfid#&cftoken=#client.cftoken#"), DE(""))>
  </cfif>
  </cflock>
  <!--- cfif --->
  As you can see I have cfapplication in the code and
  sessionmanagement has been set to yes. Any ideas? Thanks.

  Turns out the response from tech support at register.com says
  that I cannot use sessionmanagement. If I read their response
  correctly. I find that rather odd. I suppose they don't want to tie
  up their servers with extra memory.

• Version migration, shared ssl, session variables

  I'm migrating a shopping cart application from Cold Fusion
  4.5 to a new server running MX 7, and have run into a weird problem
  transferring session variables.
  Basically, there's two sites running on one physical server.
  The catalog, and then the shared ssl checkout pages. I'll call them
  catalog.com and sharedssl.com.
  Under 4.5, if I passed CFID & CFTOKEN in a link from
  identically named applications on catalog.com to sharedssl.com, the
  session and all its associated variables would transition
  seamlessly forward. Under MX, this is no longer happening. The
  *very first page* on sharedssl.com (the one that was directly
  passed CFID & CFTOKEN) will have access to those variables, but
  any subsequent pages on sharedssl.com will just throw errors.
  Looking at the debugging info, it's obvious that under MX a
  new CFID and CFTOKEN are being assigned when the user goes to
  sharedssl.com, regardless of the session id that was passed on; as
  soon as the "old" CFID & CFTOKEN aren't being explicitly
  mentioned, the "new" ones take over, resulting in a completely
  blank session.
  Has anyone else experienced anything similar? Is there a
  simple fix?
  I have some ideas on how to make this work, but I'd really
  like to keep this projection a "migration," and not, ie., a
  "rewrite." I guess I'm wondering whether there's a configuration
  checkbox I'm unaware of, or perhaps some arcane option in
  cfapplication that will restore the old behavior.
  Thanks for any help,
  Tim

  On which page is the following code?
  After login, user is validated and set values to those session.variables:
  ........user validation codes here......................
  <cfif mylogin NEQ true>
        <cflocation url="/login/login.cfm">
        <cfabort
  <cfelse>
        <cfset session.loggedin="Yes">
        <cfset session.username="#Trim(Form.username)#">
       <CFSET qUserRights = LoginObj.getUserRights('#Trim(Form.username)#')>
       <cfset session.userrights = qUserRights><!--- it's a query --->
      <CFSET qUserGroup = LoginObj.getUserGroup('#Trim(Form.username)#')>
          <cfloop query="qUserGroup">
             <cfset session.usergroup = user_group>
             <cfbreak>
          </cfloop>
      <!--- ****************** ???????????????????????????????????????????????????????????????????????????
      When I do cfdump in at this level, I can see that all of these session variables have been assigned to their values.
      But these session variables are not accessible from other pages. Other pages still show these session variable without its value.
      So, when I use these cfdumps in the index.cfm it is shown as they're not yet assigned with any values   ****************** --->
     <cfdump var="#session.loggedin#">
     <cfdump var="#session.username#">
     <cfdump var="#session.userright#">
     <cfdump var="#session.usergroup#">
  </cfif>