Most of our application is accessed via SSL. We do not have
"Use J2EE Session Variables" checked the CFAdminsitrator, but have
noticed that JSESSIONID cookies are set non-secure when someone
accesses a few pages that have CF Flash forms.
Here's an example of the headers that set this cookie:
How can I make this cookie be set securely from the start?
We will probably be using J2EE Session Variables in the very
near future for clustering so we still want the cookie to be set.
Per a security audit, we can't simply resend the same cookie as
secure; the initial one must be secure.