Not sure what I am missing here. We are running Coldfusion 9.0.2 in a clustered environment. I added the -Dcoldfusion.sessioncookie.httponly=true to the jvm.config file. I restart the coldfusion instances. Run an application scan and it still says the y are not httponly (also check using Chrome and it says the same thing). I also added the <cookie-config> <active>true</active> <cookie-secure>true</cookie-secure> </cookie-config> to the jrun-web.xml file in each cf instance as well and the scan comes back with the cookies not being set to secure. This is a very straight forward process that I have implemented on other setups.. so I am really puzzled as to why this is not working on this current environment. Any ideas? I am using CF 9.0.2 w/ built-in JRUN and Windows 2008 R2 OS.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358658 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
