We've been having a problem with session loss when using J2EE session management in CF, ever since we upgraded to version 10. It appears as though CF is doing the following:
1. If the session begins over http, the cookie is set as secure=no
2. If the session begins over https, the cookie is set as secure=yes
This is a problem, because if #2 happens, and a user then transfers to an http page, they will lose their session (because the browser can no longer read the secure cookie). At that point, they get handed a new, non-secure cookie and they have to start their session over again.
We've searched around but are unable to find any way to change this behavior. Is there something we're missing? How do we get it to stop automatically setting secure cookies?