Hello Pegarm how are you sir?
I am too small to advise I will just try.
They change for everybody and that is how it works for security.
you may change your mechanism to detect the user.
may be using the session values... you may store the username or userid in the session and detect using it.
Regards,
---Pinal

I know they're supposed to change for everybody, but the CFID and CFTOKEN are not supposed to change between page requests for the same user.  For example; if I come to the site and get a CFID of 100 and a CFTOKEN of 10000, when I change pages, MY cfid and cftoken shouldn't change.  If another user comes to the site, they should get 101 and 100001, but my CFID and CFTOKEN should remain the same.  That's how it uniquely identifies me as a user.

This is a behaviour you usually get if If your browser is not accepting cookies.

Which browser are you using and what is your security configuration pertaining to cookies?

All of the computers I am testing upon a re running MSIE 6.0 on Windows XP Professional running Service Pack 2.

None of the computers are set to deny cookies.

Your CFID and CFTOKEN will change on every page if it can't be stored.  You said cookies are enabled, but where have you set your client or session storage to?  You can tell CF to store this info elsewhere and if that is failing the same effect will happen.

Can you post the application.cfm code?

Is the <CFAPPLICTION > the first thing you do in your application.cfm?  If not, what code is before it?

The only other thing on the application.cfm are two <CFERROR> tags above the application.cfm.  (Don't ask me why they are above the <CFAPPLICATION> tag... I dind't write this code.  I inherited it, unfortunately. <<Comment Edited - mrichmon, Page Editor>>)

<CFERROR TYPE="request" TEMPLATE="errorrequest.cfm" MAILTO="[e-mail addresses omitted]">
<CFERROR TYPE="exception" TEMPLATE="errorexception.cfm" MAILTO="[e-mail addresses omitted]">

Ok, do this test:

- create a new directory
- in it create application.cfm as follows:
------------------------------------------------------------------------
<CFAPPLICATION
     NAME="myApp"
     CLIENTMANAGEMENT="yes"
     SESSIONMANAGEMENT="yes"
     CLIENTSTORAGE="cookie"
     SETCLIENTCOOKIES="yes"
     SETDOMAINCOOKIES="yes"
     SESSIONTIMEOUT=#createtimespan(0, 0, 30, 0)#>
------------------------------------------------------------------------

- create only one file as follows:
------------------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Strict//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>
Client:
<cfdump var="#client#" expand="yes" label="client">
<hr>
Session:
<cfdump var="#session#" expand="yes" label="session">

</body>
</html>
------------------------------------------------------------------------

Does reloading of the page cause CFID and CFTOKEN to change?

pegarm,

Can you post the code that is in the <cfapplication> tag - I am sure the answer is related to the settings.

The entire Application.cfm file looks like this, as posted above:

============================================================
<CFERROR TYPE="request" TEMPLATE="errorrequest.cfm" MAILTO="[e-mail addresses omitted]">
<CFERROR TYPE="exception" TEMPLATE="errorexception.cfm" MAILTO="[e-mail addresses omitted]">

<CFAPPLICATION
     NAME="myApp"
     CLIENTMANAGEMENT="yes"
     SESSIONMANAGEMENT="yes"
     CLIENTSTORAGE="cookie"
     SETCLIENTCOOKIES="yes"
     SETDOMAINCOOKIES="yes"
     SESSIONTIMEOUT=#createtimespan(0, 0, 30, 0)#>
============================================================

I'm trying the test file that marcin_kom asked about above right now.  I'll post results as soon as I'm done.

Strange things are afoot.  I've posted my test to http://www.greatstuff4gamblers.com/test/

Here's the summary:
* Client.CFID stays the same.
* Client.CFTOKEN stays the same.
* Client.URLToken changes every page request.
* Session.CFID changes every page request.
* Session.CFTOKEN changes every page request.
* Session.URLToken changes every page request.

Pegarm,

It seams that there is a bizzar way your server is handling cookies.  Only half of the cookies get set in the browser when viewing your page (i.e. two cookies), while when I put the page up on my server four cookies get set.  There is a difference also between the two servers in what the response header contains.

Compare the difference.  You can find the same test on my server at http://www.clubpolonia.com/_ee_/Q_21468895/test.cfm

Here is your header:
-----------------------------------------------
Connection: close
Date: Wed, 29 Jun 2005 06:22:40 GMT
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=299331;domain=.com;expires=Fri, 22-Jun-2035 06:21:16 GMT;path=/
CFTOKEN=45022843;domain=.com;expires=Fri, 22-Jun-2035 06:21:16 GMT;path=/
CFCLIENT_MYAPP=;expires=Fri, 22-Jun-2035 06:21:16 GMT;path=/
CFGLOBALS=urltoken%3DCFID%23%3D299331%26CFTOKEN%23%3D45022843%23lastvisit%3D%7Bts%20%272005%2D06%2D28%2023%3A22%3A40%27%7D%23timecreated%3D%7Bts%20%272005%2D06%2D28%2023%3A14%3A53%27%7D%23hitcount%3D19%23cftoken%3D20626378%23cfid%3D299271%23;expires=Fri, 22-Jun-2035 06:21:16 GMT;path=/
Content-Encoding: gzip
Vary: Accept-Encoding
Transfer-Encoding: chunked

200 OK
---------------------------------------

and here is mine:
---------------------------------------
Connection: close
Date: Wed, 29 Jun 2005 06:30:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFCLIENT_MYAPP=;expires=Fri, 22-Jun-2035 06:11:15 GMT;path=/
CFGLOBALS=urltoken%3DCFID%23%3D1471644%26CFTOKEN%23%3D57756293%23lastvisit%3D%7Bts%20%272005%2D06%2D29%2002%3A30%3A48%27%7D%23timecreated%3D%7Bts%20%272005%2D06%2D29%2002%3A30%3A37%27%7D%23hitcount%3D3%23cftoken%3D57756293%23cfid%3D1471644%23;expires=Fri, 22-Jun-2035 06:11:15 GMT;path=/
Content-Type: text/html; charset=UTF-8

200
------------------------------------------

Doing some more investigation I think my server starts by setting two cookies using first response header (not shown here), than redirect the browser to reload the page, and sets the remaining two cookies using the response header shown here.

Your server attempts to set all four cookies in a single header, but something about the way it does it results in the cookie being ignored by a browser.  I am only guessing that this may have to do with "domain=.com" portion of the 'Set-Cookie' directive.

Do you have access to your server's configuration, both ColdFusion and IIS?

Marcin

P.S. FireFox with the Web Developer Toolbar Extension is an awesome tool for getting at this type of information (in case you are not using it already)

Okay... this is helping.  I understand that the headers are different, but what is it I'm doing that could be making the headers send differently?  It's a basic IIS install with almost all of the settings default.  Any ideas on why the headers coming from this server are so different?

It's been almost three weeks... anyone have any ideas on this problem?  I'd love to get this fixed and off my plate.

Oops... that's 'Ethereal' not 'Etheral'

pegarm,

If you want to dig deeper into this I'll be here to lend you a hand.  However, given the current situation you could always use Client.CFID and Client.CFTOKEN.

If you require URLTOKEN, you could always generate that manually from CFID and CFTOKEN as 'CFID='&Client.CFID&'&CFTOKEN='&Client.CFTOKEN

Marcin

This worked.  I was able to set the IIS HTTP Header directives to match the domain being used, and the problems cleared up.

Thanks for the help!

I'm glad we finally resolved this one.

Cheers,
Marcin

I ran into a similar problem.

I'm running Windows 2003 Web Ed.
CFMX 7.01
Several development sites.

One site would always create new session variables for every reload of the page.

I found out that if I was using an address that included an underscore "_" in the URL the session would be recreated with each reload.

For example, when I had the address as:

client_dev.domain.com - causes the session to be recreated each reload unless you force it with URLTOKEN vars.

However,

clientdev.domain.com - will keep the same session values for every reload.

I don't know if this is related to your problems.  I think that I will avoid using underscores in domain names.

Incidentally, this problem only appeared in IE.  Firefox did not exhibit this problem.