J2EE Sessions in CF10 Uses Secure Cookies

coldfusion This week I helped out a client resolve an issue due to a change in behavior from CF9 to CF10. CF10 automatically adds the secure flag to cookies when the request is over a secure HTTPS channel.

This entry was:

Setting up HTTPOnly Session Cookies for ColdFusion

coldfusion Internet Explorer pioneered a great security feature for cookies called HTTPOnly, when this flag is set the browser does not allow JavaScript to access the cookie. Now that all modern browsers support this flag it can reduce the risk of session hijacking due to cross site scripting.

This entry was:

J2EE Session Cookies on ColdFusion / JRun

coldfusion java As you are probably aware ColdFusion allows you to use the integrated J2EE sessions that are provided as part of the J2EE server (by enabling the Use J2EE session variables setting in ColdFusion Administrator).

This entry was:


did you hack my cf?