Skip to main content
Inspiring
September 15, 2014
Answered

How to secure CFGLOBALS cookie

  • September 15, 2014
  • 1 reply
  • 2765 views

To secure CFGLOBALS  cookie I tried the following method as I did for CFID and CFTOKEN . But its not working for CFGLOBALS . Note that this method is working fine for CFID and CFTOKEN.

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

<cfapplication name="ABCD" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes"sessioncookie=#cf_ssn_cookies#>

Any idea why the HTTPOnly and SECURE flags are not setting up for CFGLOBALS cookie.

This topic has been closed for replies.
Correct answer Abdul L Koyappayil

Please kindly mark the thread as correctly answered. If you are unsatisfied with the current answers, then please say so.

Alternatively, you may of course post a new message which you consider to be the correct or best explanation, and mark it as the correct answer. Rounding off a thread in this way will help others to quickly find solutions. Thanks.


This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.

1 reply

BKBK
Community Expert
Community Expert
September 15, 2014

This is turning out to be quite something. After a few unsuccessful coding attempts at securing the cookie, I went to the web in search of more information. To my surprise, I am unable to find any documentation on securing the CFGLOBALS cookie. Still looking.

Inspiring
September 16, 2014

Ok.... But it is actually neccessary to secure CFGLOBALS cookie. Right?? Why I am asking this is because this cookie contain CFID and CFTOKEN values.

BKBK
Community Expert
Community Expert
September 16, 2014

I agree. It should be possible to make the cfglobals cookie secure and httponly, because it contains the session ID.