Title:
[ANeff] Bug for: CF9 vs CF10 wrt jsessionid in query string (maintained vs broken sessions)
| View in TrackerStatus/Resolution/Reason: Closed/Withdrawn/AsDesigned
Reporter/Name(from Bugbase): Aaron Neff / Aaron Neff (Aaron Neff)
Created: 10/24/2012
Components: Core Runtime, Session Management
Versions: 10.0
Failure Type:
Found In Build/Fixed In Build: Final /
Priority/Frequency: Major / Some users will encounter
Locale/System: English / Win All
Vote Count: 0
CF9 honors jsessionid in the query string (ex: ?jsessionid=x and &jsessionid=x). CF10 does not.
Repro (do this in CF9 and CF10 to compare):
1) enable verbose connector logging
1a) in CF9, open C:\ColdFusion9\runtime\lib\wsconfig\1\jrun_iis6_wildcard.ini and change "verbose=false" to "verbose=true"
1b) in CF10, C:\ColdFusion10\config\wsconfig\1\isapi_redirect.properties and change "log_level= info" to "log_level= debug"
2) disable cookies in browser and enable J2EE sessions in CF Admin
3) create index.cfm with: <cfoutput><p><a href="./?#SESSION.urlToken#">my link</a></p></cfoutput><cfdump var="#SESSION#" />
4) run index.cfm, click "my link"
5) open isapi_redirect.log
5a) in CF9, open most recent file in C:\ColdFusion9\runtime\lib\wsconfig\1\LogFiles
5b) in CF10, open C:\ColdFusion10\config\wsconfig\1\isapi_redirect.log
Actual Result: CF9 maintains session. CF10 does not (CF10's isapi_redirect.dll never parsed the session identifier using '&' and thus set a new jsessionid cookie).
Expected Result: CF10 should also maintain the session.
Even tho J2EE servlet spec specifies ";jsessionid=x" format, this is a backward-compat issue w/ previous versions of CF.
Most users will not know this and will be confused when their code (which maintained sessions in CF9) no longer maintains sessions in CF10.
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3352078
External Customer Info:
External Company:
External Customer Name: itisdesign
External Customer Email:Attachments:
Comments: