Session issues after installing Coldfusion 9.01 update - OnRequestEnd behaviour change

Finally got to the bottom of an session problem we've been having with a heavily-trafficked live server since we installed the Coldfusion 9.01 update, Hotfix 1 (CHF1) for ColdFusion 9.0.1 and the hotfix for security bulletin APSB11-04 Essentially, users appeared to be losing session information in between requests. Now, there is a known issue with the fix for APSB11-04, to with the Session Fixation issue, so this part of the fix can be turned off using a JVM switch (see the technote above). But even after implementing this workaround, we were having an issue with some sessions (fewer, but still a lot) appearing to being lost. It took quite a while to get to a solution, as we thought we were dealing with the problem noted above, but we finally nailed this down to a change in Coldfusion's behaviour after cflocation, and in fact our problem was not with the session scope but with the request scope. Ben Nadel has blogged about this change as a change from Coldfusion 8 to Coldfusion 9, but as far as we can see it is actually a change between 9 and 9.01. Essentially, in versions prior to 9.01, the 'OnRequestEnd' method in application.cfc would not be called if a cflocation took place before the end of the request i.e. a request with a cflocation in it would never actually 'end' - just the new request indicated in the cflocation would start. In Coldfusion 9.01, the OnRequestEnd method is always fired, whether you cflocation before it or not. In our case the problem was caused by a cflocation to enforce the use of https on certain templates - if https was 'off', we would cflocation to a 'https' url. But, we were setting a request variable that the OnRequestEnd method expected to exist *after* we did the cflocation. In the past, that didn't matter, as onRequestEnd never got fired. Now, all code after the cflocation is abandoned (as before), but onRequestEnd *does* fire. And doesn't find the request variable it expects, and then errors. So the simple answer is... if your onRequestEnd expects a variable to exist, make sure you either cfparam it in onRequestEnd, or set it before you do any cflocations. [If you dig far enough in the release notes for 9.01 you will find this mentioned as a 'fix' - but I personally would call it a change of behaviour rather than a 'fix'!]