A couple of things: First, when you enable the J2EE session variables, ColdFusion does not use the CFToken or CFID cookie value. Second, from a security point of view, the JSESSIONID changing itself between secure/non-secure URL is the correct behavior, because a attacker could steal the session id/cookie used in https if the same session id/cookie is used in http too. The simplest solution is to use one or the other URL, in other words, make everything secure or not secure.
↧