Content in frame always creates new session

I’m experiencing a weird situation… I’ve taken it down to a very simple example script:
I have the following code on site https://SITEA/frametest.cfm:

<frameset rows="300,*">
<frame src="frameContent.cfm">
<frame src="https://SITEB/frameContent.cfm">

That means, that the upper frame content is served locally from SITEA; the lower frame content is served from another server; over https.

On both servers, there is the same frameContent.cfm; very simple like this:

<a href="frameContent.cfm">load again</a>
<cfdump var="#session#">
<cfdump var="#cookie.cfid#">

On the local server (top frame) the session is created once and then when I click on “load again” it’s always the same (session.sessionid). cookie.cfid always stays the same.

But… the lower content served from a remote server over https always creates a new session when clicking on “load again”. cookie.cfid keeps the same value as on the top frame.

Any ideas what’s going wrong? Why there’s a session created on every reload of the content? - only in framed situation? When I call https://SITEB/frameContent.cfm directly in a browser tab, the session always keeps the same; problem occurs only when serving in frames…


I’m pretty sure this is a CORS issue. Your browser won’t send any cookie (credentials) to SITEB when it’s loaded in a frame, thus SITEB will detect no cookies and always send new ones.

Update: sorry for not providing more information, but now I’m adding a link that might help you with your cookie issue: