Setting Secure cookies when HTTPS (for mixed HTTPS/HTTP site) with JRun/ColdFusion

About

Asked 26/6, 2009 at 10:42 Answered 26/6, 2009 at 12:4

security cookies coldfusion jrun jsessionid

We have a site running on CF7 that has both logged in and logged out sections, and uses jsessionid for sessions.

When switching to HTTPS (for the secure sections), we need to start a new secure session, setting the 'Secure' flag on the jsessionid cookie.

Whilst JRun has an option for setting 'Secure' it appears to be an all-or-nothing deal.

Is there a way to always use Secure when in HTTPS mode?

Related Question: Setting HttpOnly flag for all cookies.

Palimpsest answered 26/6, 2009 at 10:42 Comment(0)

This explanation seems quite thorough. For some reason, it is not trivial.

12robots.com Making the JSESSIONID Session Token Cookie SECURE and HTTPOnly and settings its PATH

Drennen answered 26/6, 2009 at 12:4 Comment(2)

Oh, I just see you had that recommendation already, just in a different question. :) I don't think there is a smooth way to do what you want. IMHO, this should be handled transparently by the server. – Drennen 26/6, 2009 at 12:15

Heh yeah, I split the questions out since they're distinct issues, but I did intend to explicitly link them to each other, will go do that now. And I definitely agree this should be handled by the server - might be worth checking if Tomcat or Resin provides better control over this. – Palimpsest 26/6, 2009 at 12:47

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags