Just out of curiosity, why can't you have the entire session running under SSL? Ever since Firesheep came out it is actually suggested to be all encrypted all the time.
Steve -----Original Message----- From: Robert Rhodes [mailto:[email protected]] Sent: Tuesday, March 06, 2012 2:20 AM To: cf-talk Subject: Failed PCI Compliance test on CF9.01 So a site that I built failed PCI compliance testing because the jsessionid cookie is not set securely. I found this post<http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/>that shows how to force jrun to do always set the session cookies securely, but the user loses their session state when they move between secure and non-secure pages (the jsessionid is different for secure pages). This is obviously a big problem, since we can't have the entire user session running under ssl. Any ideas on how to get the jsessionid to be the same on secure and non-secure pages? I am a little lost here. I am running cf9.01, with the app set to sessionmanagement="yes" and setclientcookies="no". In the administrator, I have Cookie set as my default client storage storage mechanism, and J2EE session variables enabled. I also have use UUID for cftoken enabled, but since I have setclientcookies set to no, I don't think that matters. *-RR* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350247 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
