Peter Boughton
Reputation: 112210
Setting Secure cookies when HTTPS (for mixed HTTPS/HTTP site) with JRun/ColdFusion
We have a site running on CF7 that has both logged in and logged out sections, and uses jsessionid for sessions.
When switching to HTTPS (for the secure sections), we need to start a new secure session, setting the 'Secure' flag on the jsessionid cookie.
Whilst JRun has an option for setting 'Secure' it appears to be an all-or-nothing deal.
Is there a way to always use Secure when in HTTPS mode?
Related Question: Setting HttpOnly flag for all cookies.
Upvotes: 2
Views: 3045
Answers (1)
Tomalak
Reputation: 338326
This explanation seems quite thorough. For some reason, it is not trivial.
12robots.com Making the JSESSIONID Session Token Cookie SECURE and HTTPOnly and settings its PATH
Upvotes: 1
Related Questions
- Spring Security Sessions without cookies
- Forcing Tomcat to use secure JSESSIONID cookie over http
- JSessionID cookie being set with J2EE session variables option unchecked
- Coldfusion cookie login
- Coldfusion 10 cross domain HTTPS session problems
- coldfusion - managing cookies and log-in issue
- Domain level session cookie on multiple domains
- Forcing HttpOnly cookies with JRun/ColdFusion
- Read Cross-Domain (Cross-Sub-Domain) Cookies in ColdFusion (HTTPS)
- Reading secure cookie in ColdFusion