1 Reply Latest reply on Jun 2, 2008 10:28 AM by Coos

    How do I set a secure JSESSIONID cookie

    Coos Level 1
      Most of our application is accessed via SSL. We do not have "Use J2EE Session Variables" checked the CFAdminsitrator, but have noticed that JSESSIONID cookies are set non-secure when someone accesses a few pages that have CF Flash forms.

      Here's an example of the headers that set this cookie:
      Set-Cookie: JSESSIONID=4a30b299250ac417a83654b38f6b492f35242;path=/

      How can I make this cookie be set securely from the start?

      We will probably be using J2EE Session Variables in the very near future for clustering so we still want the cookie to be set. Per a security audit, we can't simply resend the same cookie as secure; the initial one must be secure.