If jsessionids are enabled, CF appears to set that cookie, no matter what. I know of no way to prevent that from happening.
And yes, even those the site being loaded by https, the jsessionid cookie is still being set insecurely. As I said before, this should be easier than it is. Or maybe it's just because I am missing something obvious. -RR On Tue, Mar 6, 2012 at 3:00 PM, Cameron Childress <[email protected]>wrote: > > On Tue, Mar 6, 2012 at 2:56 PM, Robert Rhodes <[email protected]> wrote: > > > Yes, I saw that. But he does not say how he made the new jsession id > > string. I am sure it is not some random string he pro > > grammatically generated. So, there must be a way to get at the > jsessionid > > even if you don't have jsessionidenabled in the administrator. > > > I'd say, enable it in the CFAdmin, tell CF not to set cookies automatically > (via code), then set it yourself. Are you sure it's getting set as > nonsecure? That is very suprising to me. > > -Cameron > > -- > Cameron Childress > -- > p: 678.637.5072 > im: cameroncf > facebook <http://www.facebook.com/cameroncf> | > twitter<http://twitter.com/cameronc> | > google+ <https://profiles.google.com/u/0/117829379451708140985> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350291 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
