Your issue is more likely the fact that you are switching between https and http. I don't believe that the cookies can cross that barrier.
However as to your cookies not being secure check out the article by Pete Freitag : Adobe developer connection / ColdFusion Developer center / Securing your applications using HttpOnly cookies with ColdFusion. (sorry I don't have the url) It has a section on using secure cookies with https/ssl. Steve -----Original Message----- From: Robert Rhodes [mailto:[email protected]] Sent: Tuesday, March 06, 2012 11:13 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 I just put back the jrun setting to pass cookies securely, and am sending the jsessionid securely again. And I am set up to use the database for client storage. It's still losing the session when I switch between http and https. I do have setclientcookies to no, because that sets cfid and cftoken insecurely which is what caused the PCI test failure. This really should not be this hard. I an't be the only person dealing with this issue. :( On Tue, Mar 6, 2012 at 10:44 AM, Donnie Bachan (Gmail) < [email protected]> wrote: > > Hi Robert, > > I'm not sure if I'm missing something but shouldn't you have > setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the > url on each request. > > Best Regards, > Donnie Bachan > "Nitendo Vinces - By Striving You Shall Conquer" > ====================================================================== > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. > > > On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes <[email protected]> wrote: > > > > > For both Phillip and Donnie -- I just set the site up for database > storage > > for the client session in the cf admin (server settings -> client > > variables), and I see data going in those two tables, but I am still > losing > > the session state when moving from https to http. I have this set in my > > application.cfm: > > > > clientmanagement="Yes" > > sessionmanagement="Yes" > > setclientcookies="No" > > clientstorage="MyDSN" > > > > What am I doing wrong? > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
