There are a few ways to do this, but it somewhat depends on what your business goal is. Is your goal to have only people with https connections get CF sessions? Do you want to protect your entire site or just part of it? If you want to enforce SSL one of the best places to do this is on the Web server. It is fairly common to lock down a portion of a Web site such that SSL is required. If the locked down portion has a different ColdFusion application name, then it has different sessions also. If you don't want the public part of the Web site to set cookies you can disable this if you treat the public portion as a different application (having its own Application.cfc).
There are other ways to go about this as well, such as maintaining sessions without storing cfid and cftoken directly in the cookie, which would be an added layer of security on top of SSL. -Mike Chabot On Wed, May 7, 2008 at 11:56 AM, Jide Aliu <[EMAIL PROTECTED]> wrote: > Hi Folks, > > Is it possible to send CFID, CTOKEN or even JSessionID by "Encrypted > connections only". The 3 are generated by ColdFusion server unlike a CFCOOKIE > which I can write like so <CFCOOKIE NAME = "Name" Value = "Value" Expires = > "Expiration Date" secure="Yes">. > > Clues please. > > Jide ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:304887 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
