Turn off HttpOnly cookies using JRun / ColdFusion

Question

Turn off HttpOnly cookies using JRun / ColdFusion

We need to make sure that all cookies on the CF7 website are set to HttpOnly.

We use jsessionid to manage our sessions, and JRun does not create this as HttpOnly.

While you can modify an existing cookie to add this parameter, we need to set it with HttpOnly from the very beginning.

Any suggestions?

Related question: Setting a secure flag for HTTPS cookies.

+6

coldfusion cookies httponly jsessionid jrun

Peter Boughton Jun 26 '09 at 10:41

source share

3 answers

Salazar mubarak · Answer 1 · 2011-03-08T15:53:58+0000

From: http://www.petefreitag.com/item/764.cfm

Running CF 8 or lower and using Application.cfc

<cfcomponent> <cfset this.sessionmanagement = true> <cfset this.setclientcookies = false> <cffunction name="onSessionStart"> <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly"> <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly"> </cffunction> <cfcomponent>

Make sure you have setclientcookies = false set.

If using Application.cfm

If you are still using the Application.cfm file, you can use the following:

 <cfapplication setclientcookies="false" sessionmanagement="true" name="test"> <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")> <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly"> <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly"> </cfif>

Amit naidu · Answer 2 · 2011-08-03T06:15:26+0000

Firstly, a warm welcome to all PCI DSS refugees! In addition, third-party developers of Google Apps, Webinspect, Hailstorm, and NTOSpider supporters are invited. Take a seat right here, I have a cake for you:

While it's too late for Peter, it is actually possible that JRun will generate HTTPOnly (and secure) cookies from the very beginning, as he requested. Locate the jrun-web.xml . It will probably be in a directory, for example

C:\JRun4\servers\servername\cfusion-ear\cfusion-war\WEB-INF\ .

You should add the following to the cookie-config section:

 <cookie-config> <cookie-path>/;HttpOnly</cookie-path> </cookie-config>

If your site is HTTPS, you must also enable the secure cookie option. But be careful, its server is wide and not application specific. Therefore, it may not be suitable for your general environment:

 <cookie-config> <cookie-secure>true</cookie-secure> <cookie-path>/;HttpOnly</cookie-path> </cookie-config>

If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly

I tested this on ColdFusion MX7 and it works as expected. Evasive apps I made.

Adam tuttle · Answer 3 · 2009-06-29T16:51:32+0000

The goal is for the first request to be secure (and pass the test), so if this message is closed, then it will solve the problem.

Correct me if I'm wrong, but it looks like you need to redirect to HTTPS if the request comes through HTTP. Could you catch this with a rewrite rule for a URL before the request is sent to ColdFusion?

Turn off HttpOnly cookies using JRun / ColdFusion

More articles: