As part of PCI compliance our servers were run through third party security auditing and one warning we received was "Missing Secure Attribute in an Encrypted Session (SSL) Cookie". This warning referred to the JSESSIONID cookie being set in our SSL enabled pages not having the SECURE attribute set. In ColdFusion there is no way for you to do this programatically (since you would not explicitly create the JSESSIONID cookie) or even via the administrator. After a lot of searching and reading I found the solution thanks to comment on this post:
http://www.bennadel.com/blog/785-Ask-Ben-Hiding-Encrypting-ColdFusion-CFID-And-CFTOKEN-Values.htm
The solution is quite simple, add:
<cookie-config>
<cookie-secure>true</cookie-secure>
</cookie-config>
after the </persistence-config> element in your jrun-web.xml file which is usually located in C:\JRun4\servers\yourservername\cfusion-ear\cfusion-war\WEB-INF\jrun-web.xml. If you are running in multiserver mode of CF Enterprise and have multiple application instances, you must add this to the jrun-web.xml of every application instance.
