We need to ensure that all cookies on a CF7 site are set as HttpOnly.
We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.
Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.
Any suggestions?
Related Question: Setting Secure flag for HTTPS cookies.
From: http://www.petefreitag.com/item/764.cfm
Running CF 8 or Lower and using Application.cfc
<cfcomponent>
<cfset this.sessionmanagement = true>
<cfset this.setclientcookies = false>
<cffunction name="onSessionStart">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cffunction>
<cfcomponent>
Make sure you have setclientcookies = false specified.
If Using Application.cfm
If you are still using an Application.cfm file, you can use the following:
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
First, a warm welcome to all PCI DSS refugees! Appscan, Webinspect, Hailstorm and NTOSpider fugitives are also invited. Take a seat right over here, I have cake for you:
While too late for Peter, it is in fact possible to have JRun generate HTTPOnly (and secure) cookies from the start as he asked. Look for the jrun-web.xml file. It will probably be in a directory like
C:\JRun4\servers\servername\cfusion-ear\cfusion-war\WEB-INF\.
You have to add the following to the cookie-config section:
<cookie-config>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If your site is HTTPS, you should also enable the secure cookie option. But be careful, its server wide, not application specific. So it may not be suitable for your shared environment:
<cookie-config>
<cookie-secure>true</cookie-secure>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly
I've tested this on ColdFusion MX7 and it works as expected. Dodged Appscan I did.
The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.
Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?
