On Mon, May 19, 2014 at 9:45 AM, brad f <b...@ciswired.com> wrote: > > Not sure what I am missing here. We are running Coldfusion 9.0.2 in a > clustered environment. I added the -Dcoldfusion.sessioncookie.httponly=true > to the jvm.config file. I restart the coldfusion instances. Run an > application scan and it still says the y are not httponly
I think that setting only applies to CFID/CFTOKEN cookies, not the jsessionid cookie. You can try this trick: http://www.petefreitag.com/item/740.cfm or use your web server to append httponly to the cookies for you. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358677 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm