Participant

Question

httponly cookie

Forum|Forum|14 years ago
December 16, 2011
3 replies
5074 views

Hi,

I am working in CF7 verison and using application.cfm. I want to make cookie secure by enabling httponly to true. There is no option for httpnonly available for cfcookie in CF7, so I am using cfheader.

When using cfheader in application.cfm for enabling httponly,session ID - CFID&CFTOKEN creates for each and every page while navigating. My problem is unable to handle the session tracking for each and every page while doing navigation. I do not want to send the cfid and cftoken in URL parameter for security reason

Below code is using for my applicaion, and I followed all the instruction but no use.

If anyone knows solution, please let me know and it would be great help.

This topic has been closed for replies.

12Robots

Participating Frequently

Remove the word "secure" for any of your CFHEADER values. Unless you are running on an SSL connection (which I am suspecting you are not) then *exactly* what you are describing will happen.

When you have the word "secure" in the SET-COOKIE header it sets the cookie as a SECURE cookie. This means the browser will NOT send the cookie to the server unless it is over an SSL connection.

Jason

C

cfveeraAuthor

Participant

Jason,

I tried with your suggestion and it is working fine in dev environment. Whereas QA and PROD environment, we are using HTTPS connection. Will it work if remove "secure" word in QA and PROD or need to add "secure" word in CFHEADER. Please clarify me in this.

thanks for your post.

veera

BKBK

Community Expert

cfveera wrote:
Jason,
I tried with your suggestion and it is working fine in dev environment. Whereas QA and PROD environment, we are using HTTPS connection. Will it work if remove "secure" word in QA and PROD or need to add "secure" word in CFHEADER. Please clarify me in this.

Do you mean the last example I gave does not work on QA and PROD?

D

Dave Watts

Community Expert

I recommend that you use JSESSIONID instead of CFID and CFTOKEN by enabling J2EE session management in the CF Administrator. Then, do this:

http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH

Dave Watts, CTO, Fig Leaf Software

Dave Watts, Eidolon LLC

BKBK

Community Expert

4 suggestions:

1) Make sure the name of your application file begins with capital-A, thus: Application.cfm;

2) Define timeouts for the application and for sessions;

3) Remove the if-condition on CGI.HTTPS, as it is unnecessary.(The code within the if-block is the same as that within the else-block);

4) Set the cookie expiry date.

</cfif>

C

cfveeraAuthor

Participant

Dave,

I have tried with your code but no use, same result. whenever page loads for each requests then new session id is creating so not able to maintain the session stable. I want to make cookies httponly anyways.

Anyhow, thanks for your post......

BKBK

Community Expert

Cfveera, what happened when you tried the suggestions I gave?

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded