That works for cfid and cftoken, thanks.  But it won't work for jsessionid,
because once that is selected in the administrator, it shows up as an
unsecure cookie, even if you have setclientcookies turned off.  That's a
bummer, I wanted to use jsessionids.

On Tue, Mar 6, 2012 at 1:59 PM, Cameron Childress <camer...@gmail.com>wrote:

>
> Yes. If it were me, I would turn "setClientCookies=false" in the
> Applciation.cfc|cfm and then set them manually using:
>
> <cfcookie name="cfid" value="#session.cfid#" secure=true/>
> <cfcookie name="cftoken" value="#session.cftoken#" secure=true/>
>
> If you google around a bit you can probably find some sample code for doing
> this.  If you are using JSessionIDs (not cfid/cftoken) you'll be just
> setting that cookie but I would expect it to work in that case as well.
>
> Whole you're at it you might also pop open Chrome debugging or the like and
> verify that those are the only cookies being sent, just to make sure you
> don't have something else that trips you up.
>
> -Cameron
>
> On Tue, Mar 6, 2012 at 1:47 PM, Robert Rhodes <rrhode...@gmail.com> wrote:
>
> >
> > Ok, I am going to try to make the site work all ssl.  I am concerned
> about
> > the video streaming over ssl, but I guess we will see how it goes.
> >
> > On a related subject:  is there a way to make the jsessionid cookie
> secure
> > without making the jrun change?  I ask because doing so affects all sites
> > on the server, and I had planed to run other sites on this particular
> > server.
> >
> > On Tue, Mar 6, 2012 at 12:59 PM, Cameron Childress <camer...@gmail.com
> > >wrote:
> >
> > >
> > > On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes <rrhode...@gmail.com>
> > > wrote:
> > >
> > > > I hear you, but there are issues preventing me from going all https.
> > >  It's
> > > > a long story.
> > > >
> > > > Is there a way to copy, with some code in the application.cfm, the
> > > > jsessionid between http and https so we don't lose the session state?
> > > >
> > >
> > > You could make this work, but then you would be exactly where you
> > currently
> > > are, and would again fail the PCI audit. I know you are looking for a
> > > "quick answer", but there isn't really a great easy option here. Many
> > shops
> > > spend literally months getting compliant, so this code change really
> > > doesn't seem so huge in comparison, even though I know if feel like it
> > is.
> > >
> > > You best solution, in the long term as well as the short run, is to
> make
> > > the code changes and just spend the time and money on it so it's right.
> > >
> > > -Cameron
> > >
> > > --
> > > Cameron Childress
> > > --
> > > p:   678.637.5072
> > > im: cameroncf
> > > facebook <http://www.facebook.com/cameroncf> |
> > > twitter<http://twitter.com/cameronc> |
> > > google+ <https://profiles.google.com/u/0/117829379451708140985>
> > >
> > >
> > >
> >
> >
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350285
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Reply via email to