With the recent Security Hot-Fix for ColdFusion, an important vulnerability is fixed - Session Fixation.
Previous behavior with out the Hot-Fix - One can create a ColdFusion session with self provided CFID and CFTOKEN and then mail a victim customer a URL with those tokens. Now both of them can use same session.
Earlier if one has two different Applications in sub directories for both the applications Session tokens for ColdFusion Session used to be same thus both Applications will work fine with in the same browser.
Now after applying the hot-fix, If user wants to support such different Applications with sub directories, they can set session Cookies with Domain and path.
Example:
For second application in sub Directory do this in OnSessionStart -
Hope this was helpful.
Previous behavior with out the Hot-Fix - One can create a ColdFusion session with self provided CFID and CFTOKEN and then mail a victim customer a URL with those tokens. Now both of them can use same session.
Earlier if one has two different Applications in sub directories for both the applications Session tokens for ColdFusion Session used to be same thus both Applications will work fine with in the same browser.
Now after applying the hot-fix, If user wants to support such different Applications with sub directories, they can set session Cookies with Domain and path.
Example:
For second application in sub Directory do this in OnSessionStart -
<cfcookie name="CFID" value="SESSION.CFID" path="/subdir">
<cfcookie name="CFTOKEN" value="SESSION.CFTOKEN" path="/subdir">
Hope this was helpful.