ColdBox has a sessionstorage feature that is nice and verbose. I can
store my session vars within the sessionstorage plugin and let CB
handle the rest.
When I use sessionstorage to set my session vars ... how secure are
these sessionstorage vars over HTTP?
I'd think as secure as the underlying engine?? The session storage
plugin uses regular sessions and creates a struct in the session to
store its data.
So if the CF session is secure, then the session storage vars should
also be considered secure as they're simply held in a struct within
the regular session.