Here's an update on this....
I was able to fix this by adding the following to OnRequestStart in
Application.cfc:
setcookie(name: "cfid", value: session.cfid, httponly: true, secure:
true);
setcookie(name: "cftoken", value: session.cftoken, httponly: true,
secure: true);
This works. I also tried it in OnRequest and that works also.
Oddly enough it doesn't work when I added it to OnSessionStart.
No exception was thrown--it just quietly fails to update the session
cookies.
Keeping it in OnRequestStart doesn't seem to hurt anything, it just seems
like unnecessary thrashing to me.
On Wednesday, April 13, 2016 at 9:10:53 AM UTC-6, John Moss wrote:
>
> I recently switched from J2EE Sessions to CF Sessions so I could use the
> MongoDB solution.
> Now our security scan gives me a warning that the session cookies are not
> secure and when I compare the J2EE cookie to the CFID/CFTOKEN cookies in
> Chrome the J2EE cookie has a check in the "Secure" column and the CF*
> cookies don't.
>
> Is there a way to fix this?
>
> Thanks!
> John Moss
>
>
--
--
online documentation: http://openbd.org/manual/
http://groups.google.com/group/openbd?hl=en
---
You received this message because you are subscribed to the Google Groups "Open
BlueDragon" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
