So... I'm generating a pdf file using cfdocument that includes a link into our website that will only work if the user is logged in, otherwise they get redirected to the login page. If I open the pdf in adobe acrobat and am logged into the website then the link works fine. If I open the pdf in a browser (Chrome, Firefox and Brave were tested) and am logged into the website in the same browser then: --- If I copy the link from the pdf into a new tab the link works fine, but --- If I click the link directly in the browser tab (or right-click and open in new tab) then my session is not found, OnSessionStart is triggered and as I have a new sessionId I get logged out. So the link works in two of the three ways it can be used to access the page. But what is going on with the 'in-browser' click that it triggers a new session?

Have you watched the network traffic in dev tools? Sounds to me like the failing one ain't sending the session cookies... (how to fix? No idea)

The cookie doesn't get sent as such, does it? The cookie is already in the browser and Lucee automagically looks it up (I thought) with reference to the application and session settings. But somehow that lookup is failing when the PDF is open in the browser and the link is clicked directly...

Lucee doesn't know anything about "browsers". It talks to a web server that says "service this request (btw, these headers, params, cookies were also sent... in case you care...)" and that's it. At no point does Lucee talk to the browser. And in a standard web request scenario, all the web server has to go on is what the browser tells it. Also the web server doesn't "look up" anything on the browser. It receives a request from the browser, and returns a response. That's it.

thanks... yeah, that makes more sense... the source of the URL being in a PDF rather than html must not be passing the correct headers etc...

well the "(or right-click and open in new tab)" version is a bit weird though. If you had already logged-in to the site in that browser, then it should be passing the cookies when the request is made. I don't see that the link being from a PDF would make any difference there. Still: check in dev tools and find out. There's no need to speculate...