We are failing our security scan because of unsecured cookies. We already use jsessionID.
setClientCookies = false So we are going to implement the solution of setting the cookies via CFHEADER where we can set httponly in all cases, and secure if the request is over SSL. That is all fine and dandy, except that the very first request for a session ignores the CFHEADER; the jsessionid cookie is not secure and not httponly until the second request, when this is corrected - so there is still a window for the exploit. Have other folks found this? My solution is to have a cflocation in onSessionStart to create an artificial second request server side, however it seems rather clunky. Just wondering if anyone has a better solution? -- Mike T Blog http://www.socialpoints.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320851 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4