I wanted to circle back and thank everyone for their suggestions. Running the site in SSL all the time got us passed, and the site seems to be working fine.
I wish there was a better way, but this works. Thanks again. -RR On 3/6/12, Robert Rhodes <[email protected]> wrote: > If jsessionids are enabled, CF appears to set that cookie, no matter what. > I know of no way to prevent that from happening. > > And yes, even those the site being loaded by https, the jsessionid cookie > is still being set insecurely. > > As I said before, this should be easier than it is. Or maybe it's just > because I am missing something obvious. > > -RR > > On Tue, Mar 6, 2012 at 3:00 PM, Cameron Childress > <[email protected]>wrote: > >> >> On Tue, Mar 6, 2012 at 2:56 PM, Robert Rhodes <[email protected]> >> wrote: >> >> > Yes, I saw that. But he does not say how he made the new jsession id >> > string. I am sure it is not some random string he pro >> > grammatically generated. So, there must be a way to get at the >> jsessionid >> > even if you don't have jsessionidenabled in the administrator. >> >> >> I'd say, enable it in the CFAdmin, tell CF not to set cookies >> automatically >> (via code), then set it yourself. Are you sure it's getting set as >> nonsecure? That is very suprising to me. >> >> -Cameron >> >> -- >> Cameron Childress >> -- >> p: 678.637.5072 >> im: cameroncf >> facebook <http://www.facebook.com/cameroncf> | >> twitter<http://twitter.com/cameronc> | >> google+ <https://profiles.google.com/u/0/117829379451708140985> >> >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350542 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
