Failed PCI Compliance test on ColdFusion 9 01

Nope.  Just CF on this sever, and just this one site running. > > Are all your sites running under CF or do you have another Java-based app > server, like Tomcat/JBoss, running portions of your site as well? That > happened to me. Someone turned on sessions for a Tomcat app that didn't > need it and users would drop sessions as they moved around the site from > the CF side to the Tomcat side, > > Phil > > > > > > > For both Phillip and Donnie -- I just set the site up for database > storage > > for the client session in the cf admin (server settings -> client > > variables), and I see data going in those two tables, but I am still > losing > > the session state when moving from https to http.  I have this set in my > > application.cfm: > > > > clientmanagement="Yes" > > sessionmanagement="Yes" > > setclientcookies="No" > > clientstorage="MyDSN" > > > > What am I doing wrong? > > > > I did remove the change I made to jrun to force session cookies to be set > > securely, but I doubt that matters now, because set client cookies is set > > to no. > > > > I am running cf 9.01 standard. > > > > -RR > > > > On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) < > > donnie.bachan@gmail.com> wrote: > > > > > > > > Robert, > > > > > > This is odd that you are losing the session, are you using CF in > > > multiserver mode or standalone? The article you referenced was for CF8, > > > however, we're currently running CF9 Ent in multiserver mode and we've > > not > > > had this issue crop up. We are however using a DB with client cookies > for > > > managing state across CF instances. > > > > > > Best Regards, > > > Donnie Bachan > > > "Nitendo Vinces - By Striving You Shall Conquer" > > > ====================================================================== > > > The information transmitted is intended only for the person or entity > to > > > which it is addressed and may contain confidential and/or privileged > > > material. Any review, retransmission, dissemination or other use of, or > > > taking of any action in reliance upon, this information by persons or > > > entities other than the intended recipient is prohibited. If you > received > > > this in error, please contact the sender and delete the material from > any > > > computer. > > > > > > > > > > > > > > > > > > > > Robert, a product like Fuseguard from Pete Freitag or a Web > Application > > > > Firewall (or a plugin type of "filter" to your existing firewall) may > > > help. > > > > I'm currently going through a similar process and thought these > options > > > > might help. > > > > > > > > Ché > > > > > > > > Justin, thanks for the reply, and I get your point, but I can't break > > out > > > > the registration process into a standalone site quickly.   There must > > be a > > > > fairly quick solution to this problem.  Surely, I can't be the first > to > > > > deal > > > > with this. > > > > > > > > > > > > > > > > > > > > > > > > > > > >