Hi Dave,
Somehow, I missed your reply to this post earlier. Thanks very much for
stepping in.
I've tried your suggestions, and (assuming I'm changing the correct files),
the cookies are still httpOnly.
I made the changes shown in the StackOverflow article in
{CFDirectory}/cfusion/runtime/conf/web.xml (setting the http-only attribute
to false, of course). I also made the same changes in
{CFDirectory}/cfusion/wwwroot/WEB-INF/web.xml.
Neither had any effect: the cookies were still httpOnly.
I attempted to make the change described in your second link. I added a
<useHttpOnly = false /> attribute within the Context element in
{CFDirectory/cfusion/runtime/conf/context.xml. However, this prevented the
service from working for some reason. It seemed to break the connector in
some way, since the isapi-redirect.dll could not be found.
I can only guess that ColdFusion is overriding the Tomcat config - though
the use of httpOnly cookies is set to false in the CF Admin, and shows
correctly as <var name="httpOnlySessionCookie"><boolean
value="false"/></var> within neo-runtime.xml.
And I mentioned this earlier, but my Application.cfc has:
this.sessioncookie.httponly=false.
And finally, I have confirmed that other sites/applications on the same
server are returning httpOnly session cookies.
?????
On Thu, Oct 3, 2013 at 2:16 PM, Dave Watts <[email protected]> wrote:
>
> > The problem appears to be that the session cookies are being set as
> > HttpOnly, and can't be accessed by the Flex call (just as they would fail
> > on an ajax call).
> >
> > However, I am not able to get CF to send the cookies as HttpOnly=false. I
> > have unchecked both the Secure and HttpOnly options in the CF Admin. And
> my
> > Application.cfc contains this.sessioncookie.httponly=false.
> >
> > Yet despite this, and restarting the CF service just from fun, when I
> > access the dev site and examine the cookie content (in multiple
> browsers),
> > the cookies (jsession, CFID and CFTOKEN) are all set as httpOnly=true.
> >
> > Does anyone have any thoughts on this?
>
> Assuming you're running CF 10 on Tomcat, you can probably make the
> appropriate changes in Tomcat's configuration files. I haven't tried
> to do this, but you might go here for a start:
>
>
> http://stackoverflow.com/questions/17991090/tomcat-7-sessionid-cookie-disable-http-only-and-secure
>
> http://tomcat.apache.org/migration-7.html#Session_cookie_configuration
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> http://training.figleaf.com/
>
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or onsite.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356888
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
