I know many people have had similar issues and I have read countless posts on this issue, yet I cannot find a solution. I apologize in advance if I don't fully explain myself properly, this has been a long, frustrating road.
I have a ColdFusion9 application running on IIS7 with the following settings in applicaiton.cfc:
<cfset this.name = "xxx">
<cfset this.sessionManagement = true>
<cfset this.applicationTimeout = createTimeSpan(1,0,0,0)>
<cfset this.sessionTimeout = createTimeSpan(0,4,0,0)>
<cfset this.setClientCookies = false>
<cfset this.setDomainCookies = false>
<cfset this.clientManagement = false>
<cfset this.scriptProtect = true>
As you can see, session management is enabled, client management and cookies are disabled. Additionally, I am using J2EE session vars on my server.
In the past I did use client cookies, however, since I believe IE 8, customers started complaining about loosing sessions. So, after much reading and testing, I disabled client cookies and wrapped all of my href and form tags in URLSessionFormat and set addToken in my cflocations to YES.
I still have random users with IE that cannot maintain a session; instead getting bumped back to a login screen with each request.
As I am receiving these complaints third-party via my client, I am very limited in attempting to debug a client's setup. But, one thing I can confirm is that the client does not see the session appended to their URL string. This leads me to believe that URLSessionFormat is assuming that the user's browser will stability accept cookies.
One additional note, the entire application is running on one HTTPS domain: xxx.domain.com. I have read about similar experiences where users had links with multiple hosts: ie, xxx.domain.com and domain.com. This is not the case here.
Again, forgive me if I have not provided enough information!