Hi Robert, You are caught in a bit of a catch 22 here. If you want to set the secure attribute on session cookies delivered over SSL, but also have it use the same cookie values over non-ssl - then that defeats the purpose of adding the secure attribute. If you want to do that you can't use the secure attribute on the cookies.
The secure attribute says only send this cookie over SSL, so when you make a request to a non-ssl url the browser will not send the cookie, this causes ColdFusion to issue a new session. The best solution is to run all on SSL as Cameron suggested, here's a good read on the performance of SSL and TLS: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html the main point being that SSL is not as computationally expensive as you may think. If that's not going to fly then you need to build something to share data between the sessions, while making sure that the non-ssl data is not privileged - it can get complicated to ensure that your not opening yourself up to security issues over non-ssl. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes <rrhode...@gmail.com> wrote: > > So a site that I built failed PCI compliance testing because the jsessionid > cookie is not set securely. > > I found this post< > http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/ > >that > shows how to force jrun to do always set the session cookies securely, > but the user loses their session state when they move between secure and > non-secure pages (the jsessionid is different for secure pages). This is > obviously a big problem, since we can't have the entire user session > running under ssl. Any ideas on how to get the jsessionid to be the same > on secure and non-secure pages? I am a little lost here. > > I am running cf9.01, with the app set to sessionmanagement="yes" and > setclientcookies="no". In the administrator, I have Cookie set as my > default client storage storage mechanism, and J2EE session variables > enabled. I also have use UUID for cftoken enabled, but since I have > setclientcookies set to no, I don't think that matters. > > *-RR* > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350275 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm