http://coldfusion.com logo
Join Slack
Powered by
Secure Cookies question. Am I right that if the ce...
# cfml-general
d
Secure Cookies question. Am I right that if the cert on the site isn't trusted, because it's a dev site that uses a wildcard cert from another domain of ours, then cookies will show in the chrome dev console as not secure, and not http only? Not secure I expected due to the cert, but I thought http only would still be honored. The box is checked in cf admin.
f
I don’t think that is the case. 
httpOnly
and 
secure
are flags on the actual cookies which are part of the 
Set-Cookie
http response header. So you can check by going into the network tab and looking at the actual HTTP response headers
The 
secure
flag on the cookie means that the browser will only send it over a “secure” / https connection, so if you request the same domain over plain http, it would not send the secure cookies
The 
httpOnly
means that the cookie is marked as not accessible to non-http apis (primarily javascript) - you want this for your session cookies to help prevent session hijacking
d
Thanks @foundeo. Firefox dev tools > storage > cookies shows 3 cookies, CFIF, CFTOKEN, and JESSIONID. Only JSESSIONID shows as secure and httpOnly. Network > response cookies shows only JSESSIONID, which is secure and httpOnly. Is this a reasonably secure posture?
f
try deleting your existing cookies first, if you toggled j2ee sessions on, you might have some old cookies hanging around
if your server is sending all three back you want them all to be httponly and secure
additionally samesite=lax is good to add as well
d
OK, will try clearing them. What's the chance of samesite=lax breaking anything?
f
pretty low since some browsers now default to SameSite=lax when samesite is missing, so chances are you would have seen any problems by now
d
OK, thanks.
5 Views
Open in Slack
PreviousNext
Powered by