http://coldfusion.com logo
Join Slack
Powered by
We have 2 new CF 2021 servers. Secure Cookie and H...
# adobe
d
We have 2 new CF 2021 servers. Secure Cookie and HTTPOnly are checked in CF admin on both. However, on both servers, we see that those settings are applied to JSESSIONID, but not to CFID or CFTOKEN. We do have Use J2EE session variables checked. Does that mean that CFID and CFTOKEN aren't used at all, so it doesn't matter that they're not encrypted? I bet we'll get dinged for it on our next security audit though. Is there some way to make those two secure too?
p
Just go ahead and add this to your application.cfc: 
this.sessioncookie.secure = true;
will secure both.
d
@Patrick Thanks, I'll check it out. Do you know if my guess that it doesn't actually matter if you're using jsessionid is right?
p
You should just secure them all regardless; for security sake.
d
@Patrick That doesn't seem to be working for me. The application.cfc file I added that to is definitely running, but cfid and cftoken cookies are still not httpOnly or secure. What version of cf are you in?
p
Did you restart the application?
m
Try deleting your existing cookies and then accessing it again...
d
no, but that's never needed for application.cfc changes except startup methods afaik. what does that even mean? restart the server?
@Michael Schmidt That did it, thanks. Now all I have to do is to get every user to do that 😉 Seriously though, these are session cookies, so by the time anyone cares they'll have expired anyway.
r
You can set 
this.clientManagement = false
and 
this.setClientCookies = false
and the CFID and CFTOKEN cookies won't even get set, assuming you don't need that functionality.
d
How do you tell CF that session cookies should be actual session cookies, so they expire when you close the browser, like the jsessionid cookie does?
r
CF only uses the JSESSIONID when set to J2EE.
d
we don't need client variables, but of course we do need session variables. client variables are shut off, but cfid and cftoken cookies are still getting created. they also expire in the length of time set in cf admin, but I don't see how to make them expire when you close the browser. @Rodney CF might only USE jsessionid, but the other two are still getting created, so they'll get noted in a security audit.
@priyank_adobe @Mark Takata (Adobe) Any comments?
Apparently if you set Cookie Timeout to -1 minutes, then CFID and CFTOKEN become session cookies, which expire when you quit the browser. However, I assume that means they DON'T expires UNTIL you quit the browser, not ideal. Is there any way to have them expire in 20 mins (say), OR when you quit the browser? I'm seeing inconsistent results about them getting the secure and httpOnly attributes. Earlier they weren't present, but now they are. I've cleared them both, twice, between retests. I don't understand.
3 Views
Open in Slack
PreviousNext
Powered by