Using a CFLOCATION with tokens breaks sessions when used on a different website on the same server
We host a web application which has multiple installations (multiple domains names) on the same server, it is all hosted by the same Cold Fusion Application Server instance.
Over time we have added new features which allow clients that have multiple domains login to both of the domains using a ‘passthrough key’ which allows them to click one button and it automatically passes them to the next site, which then looks up a secret key in the database confirms that i thas been less than a second and automatically sets up the users session. (this portion is vague because it doesn’t really matter what procedure we went through).
The issue comes up when we use a <CFLOCATION tag which directs the user from Domain A to the Domain B If we do not specify the addtoken=false, then the CFID=xxxx&CFTOKEN=xxxx are appended to the URL. The problem here is that the session from domain A is used for that first transfer page request, then any subsequent page requests (which do not have the CFID and CFTOKEN) will use the CFID / CFTOKEN which is setup for the Domain B . When this happens the session you setup for the transfer page request is gone.
Long story short, specify ADDTOKEN=false at the end of the CFLOCATION when moving from one domain to another.