BKBK wrote:
I was indeed mistaken. I have looked a bit more thoroughly at the Tomcat settings. Clearly, the configuration file we should be interested in is {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. Back-up the file before you proceed.
Open the file in a text editor. Replace the setting
<session-config>
<session-timeout>30</session-timeout>
</session-config>
with the setting
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Save the result. Restart Coldfusion.
If I am right , uncommenting the below section will not impact the application(s) any way. What you think???
This is a good question. It is in fact what made me have another look.
I expect no impact on the application. However, you would have backed up the file, which enables you to return to the previous scenario. You would also run the application a number of times after the change to test whether the settings are working as required. Let us know how you get on.
I tried this and restarted the cf instance. And then I checked the jsessionid in chrome browser I got below info , means its not setting the SECURE flag for jsession id. Had you tried this method before.
| Name: | JSESSIONID |
| Content: | 3D0C954DC1808CBFFBA1BD09CC558904.ddd |
| Domain: | abc.xyz.pqr.com |
| Path: | / |
| Send for: | Any kind of connection |
| Accessible to script: | No (HttpOnly) |
| Created: | Monday, September 8, 2014 2:07:11 AM |
| Expires: | When the browsing session ends |
Any thoughts.
Note that I am using UNIX and I modified the below file
/opt/coldfusion/cfusion/runtime/conf/web.xml