Without delving too deeply, I'd suggest removing your 'custom' session cookie handling and clear your cookies from your browser before continuing.
Keep this in mind, you will only have one jsessionid, but you may still have multiple coldfusion sessions aka scopes, this is defined by the cfapplication tag. Do your blogs each have their own application name, and therefor session scopes? That may be why people appear to be logged out, because you are bouncing between different session scopes. If you want to store the login state across multiple subdomains they must all share the same application name.
Btw, I'd strongly advise using an Application.cfc instead. It just makes the whole thing easier to manage (and debug perhaps).
Looking at the code you've provided I'm guessing you are not using cflogin, but rolling your own login mechanism, by storing the login state in session. Nothing wrong with that :)
A couple of other tips;
Use the onsessionstart method to log when a session really starts.
If you're invalidating the jsessionid cookie a new session will be created for each application. Probably not what you want :)
If you are passing the jsessionid across multiple coldfusion instances, you will need to setup session replication.
Sorry I have to run but I'll keep an eye out if you have follow up questions.
Sent from my iPhone
> You received this message because you are subscribed to the Google Groups "cfaussie" group.
> To post to this group, send email to cfau...@googlegroups.com.
> To unsubscribe from this group, send email to cfaussie+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en.
You've now got me wondering if my jsessionid's are domain cookies or not...
Sent from my iPhone
I don’t know if I’d call the jsessionid a “remnant” so much as a feature, and yes, of J2EE more than JRun itself. :-) As far as I can recall, one would have the same on Tomcat, WebLogic, etc. as (again, I think) it’s the J2EE spec way of doing session id cookies. (As most here may already know, CF uses that if one enables “j2ee sessions” in the CF Admin, to cause use of JRun’s underlying session mgt vs CF’s.)
In mentioning Railo, MrB, I’m curious if there’s something particular that you’re thinking of that differs. Or was this just more of a “maybe it’s different on Railo” kind of suggestion :-)
Great stuff on the jrun-web.xml config. I recall seeing that in the past but had forgotten about it myself.
I did a bit more investigationing :)
To recap, your problem is twofold;
1. You'll need session replication between CF instances
2. You need to force the jsessionid to be a domain cookie
Session replication can be annoying. But not impossible. You might need to consider running your login page in the same CF instance as the blogs (sub domains). Or re architect it so the login state is stored in the cookie scope instead of session. Or consider a single sign on mechanism. Or use Railo ;)
The jsessionid is an artifact of JRun (J2EE really), intercepting or rewriting it using CF will also be a bit hacky and problematic.
Instead you can force JRun to set a domain cookie, as follows;
Yep, sorry. They do mean about the same thing in my mind, but I should have been more accurate in my quote. :-)
As for storing sessions in other than memory, I’ll note as well that that is again something that the J2EE servers all offer. Even JRun has it, but it’s not exposed by CF. One could find the underlying xml entries to tell it also to store session data to files, for instance. Some J2EE servers also support storing them in a database. I think it may be precluded in the Server deployment but should be fully supported in the Multiserver deployment, since that’s pure JRun.
Anyway, not disagreeing that Railo may have something else that CF doesn’t (and to be clear, CF doesn’t expose alternative session storage in the interface). Was just curious what you were thinking of. Thanks.
I didn't say remnant I said artifact, maybe they mean the same thing :)