In ColdFusion do I need to reestablish session tokens after switch from http to https?

ColdFusion sessions are supported with a combination of CFID, CFTOKEN an开发者_JS百科d jsessionid values. When a cfm page is first hit, these values are established thus creating the SESSION.

My question is, if the SESSION is created under HTTP and then a link is clicked to get to a login page under HTTPS, are those SESSION token values compromised because they were created under http (i.e. they were passed in clear text as part of the request).

I'm guessing that someone astutely sniffing the a public router could get those values and then spoof the session from then on out. It would definitely be a rare occurrence, I know, but nevertheless a concern.

Yes, your cookies will be vulnerable to eavesdropping and session hijacking if you pass them over a non-secure channel. Wikipedia has some good prevention mechanisms listed on their Session Hijacking page. Probably the easiest is to do as invertedSpear said and just regenerate the session after a successful login, and once logged in, stay on HTTPS.