Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.
If you have a site that you want to enforce the use of ssl on, one way of doing this is to mark cookies as secure. The secure flag tells the user's browser to only send back the cookie over ssl (HTTPS) connections. This means that the browser will never send a cookie marked secure over a http connection.
This Is A Server Wide Setting
Warning: This setting will affect all sites on that cf instance on your server. This means that all sites must be using ssl as any site which is not will not be able to maintain state using cookies. I was caught by this recently when we setup a new site which did not require or possess an ssl cert onto a server that had originally been configured for ssl only.
A solution to this problem is to create a dedicated cf instance for ssl only websites and another for non ssl enforced websites.
Locate The Jrun-web.xml Config File
To set cookies secure in ColdFusion you need to edit the jrun-web.xml file. If you are using a multi instance setup then you will have one file per instance. Assuming the default install locations the file can be located here:
Setting The Secure Flag
To set the secure flag on session cookies locate the session-config section of the file and add or modify the cookie config section with the cookie-secure rule so that your config looks something like this.
Now restart ColdFusion to load the new configuration and test using something like the web developer plugin for firefox to inspect the cookies sent.
Monday, April 11, 2016 at 3:10:08 PM Coordinated Universal Time
Thanks for the article. Very helpful. I did make the change to my jrun-web.xml file for a specific instance. I restarted the instance but I don't see the Secure flag being added the CFID and CFTOKEN cookies. Any insight is appreciated.
Saturday, April 23, 2016 at 10:54:58 AM Coordinated Universal Time
Can you provide more information. What version of CF you are running, 7,8,9 etc and standard/enterprise.
Also the contents on the jrun-web.xml file.