Categories
- General (22)
- Talking (10)
- Thinking (58)
- Apple (2)
- Browsers (4)
- Business (16)
- Databases (6)
- MySQL (3)
- SQL Server (1)
- Design (3)
- E-commerce (3)
- Marketing (2)
- Mobile (1)
- Networking (2)
- Programming (30)
- ColdFusion (24)
- Java (1)
- Javascript (6)
- PHP (6)
- Ruby (1)
- Web 2.0 (3)
- Web Servers (3)
- IIS (3)
- Windows (11)
- Walking (1)
Archives
- July 2010 (1)
- June 2010 (1)
- March 2010 (1)
- February 2010 (1)
- January 2010 (13)
- December 2009 (3)
- July 2009 (2)
- June 2009 (1)
- May 2009 (1)
- April 2009 (8)
- March 2009 (6)
- February 2009 (15)
- January 2009 (4)
- December 2008 (3)
- November 2008 (2)
- September 2008 (2)
- August 2008 (2)
- November 2007 (2)
- September 2007 (1)
- April 2007 (5)
Setting secure attribute of JSESSIONID cookie in ColdFusion 8
As part of PCI compliance our servers were run through third party security auditing and one warning we received was “Missing Secure Attribute in an Encrypted Session (SSL) Cookie”. This warning referred to the JSESSIONID cookie being set in our SSL enabled pages not having the SECURE attribute set. In ColdFusion there is no way for you to do this programatically (since you would not explicitly create the JSESSIONID cookie) or even via the administrator. After a lot of searching and reading I found the solution thanks to comment on this post:
http://www.bennadel.com/blog/785-Ask-Ben-Hiding-Encrypting-ColdFusion-CFID-And-CFTOKEN-Values.htm
The solution is quite simple, add:
after the </persistence-config> element in your jrun-web.xml file which is usually located in C:\JRun4\servers\yourservername\cfusion-ear\cfusion-war\WEB-INF\jrun-web.xml. If you are running in multiserver mode of CF Enterprise and have multiple application instances, you must add this to the jrun-web.xml of every application instance.
Related Posts