I hear you, but there are issues preventing me from going all https. It's a long story.
Is there a way to copy, with some code in the application.cfm, the jsessionid between http and https so we don't lose the session state? -rr On Tue, Mar 6, 2012 at 11:24 AM, Pete Freitag <p...@foundeo.com> wrote: > > Hi Robert, > > You are caught in a bit of a catch 22 here. If you want to set the secure > attribute on session cookies delivered over SSL, but also have it use the > same cookie values over non-ssl - then that defeats the purpose of adding > the secure attribute. If you want to do that you can't use the secure > attribute on the cookies. > > The secure attribute says only send this cookie over SSL, so when you make > a request to a non-ssl url the browser will not send the cookie, this > causes ColdFusion to issue a new session. > > The best solution is to run all on SSL as Cameron suggested, here's a good > read on the performance of SSL and TLS: > http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html the main > point being that SSL is not as computationally expensive as you may think. > > If that's not going to fly then you need to build something to share data > between the sessions, while making sure that the non-ssl data is not > privileged - it can get complicated to ensure that your not opening > yourself up to security issues over non-ssl. > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://petefreitag.com/ - My Blog > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes <rrhode...@gmail.com> wrote: > > > > > So a site that I built failed PCI compliance testing because the > jsessionid > > cookie is not set securely. > > > > I found this post< > > > http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/ > > >that > > shows how to force jrun to do always set the session cookies securely, > > but the user loses their session state when they move between secure and > > non-secure pages (the jsessionid is different for secure pages). This is > > obviously a big problem, since we can't have the entire user session > > running under ssl. Any ideas on how to get the jsessionid to be the same > > on secure and non-secure pages? I am a little lost here. > > > > I am running cf9.01, with the app set to sessionmanagement="yes" and > > setclientcookies="no". In the administrator, I have Cookie set as my > > default client storage storage mechanism, and J2EE session variables > > enabled. I also have use UUID for cftoken enabled, but since I have > > setclientcookies set to no, I don't think that matters. > > > > *-RR* > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350277 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
