Hi Zack!
In a nutshell - the fine people of this forum gave me code to add to CFAPPLICATION - with the hopes that it would set both flags.
Unfortunately, only the httponly flag is being set. We can’t get the “Secure” flag to set.
The only way I’ve found to do it (and I’m about 8 hours into this issue at this point) is to add code to the Apache http.conf to force the flag in the set-cookie header… This allows my PCI Compliance scan to pass…
HOWEVER - Folks in this community have warned against this solution saying it has caused them issues. Any ideas? I’m stumped. The testing against port 8888 shows the Secure flag is NOT being set by Tomcat…