Been trying to figure this out for an hour now and I'm stymied. Simple site that allows employees to register. Typically the employer has a company wide u/p for all employees to use to access the registration page, but client also wanted a way to give employee a link to auto-login to register.
Simple enough - created a page "r.cfm" that looks for URL.emid (encrypted employer ID) and URL.h (5 character hash as a check based on the decrypted employer ID). A full URL may look something like this:
https://www.domain.com/r.cfm?emid=22EBCA&h=F5DEA
r.cfm makes sure the correct URL vars are there, decrypts the emid, compares the check value and if all is correct sets some session vars as such:
<cflock scope="session" type="exclusive" timeout="10">
<cfset SESSION.LOGGEDIN = TRUE/>
<cfset SESSION.LOGIN.EMPLOYEE.COID = DecryptString(url.emid)/>
</cflock>
I think use CFHEADER 302 and CFHEADER location to send them onto the next page. Here's where it gets weird. On the next page I setup some test code to e-mail me a dump of the session.
If clicked directly in MS Word I get to the 2nd page (the one from the cfheader redirect - employeeRegister.cfm) and I get not one - but two e-mail dumps of the session. The first one shows logged in as true, but the 2nd one shows it as false with a different jsessionid.
If I take the exact same link, paste it into my browser, it works as expected - one e-mail with a session dump showing that session.logged in true.
There is nothing on employeeRegister.cfm that would initiate a page reload. It actually doesn't even check the session.logged in var until the following page. employeeRegister.cfm is simply terms and conditions and a submit button to go to the next page, which is where the session vars are read and checked. It is literally a div with text and then a form tag with accept / decline.
