Skip to main content
WolfShade
WolfShade
Legend
April 18, 2019
Question

JSESSIONID secure and httpOnly??

  • April 18, 2019
  • 2 replies
  • 11076 views

Hello, all,

We have been alerted to a minor finding.  JSESSIONID session cookies are not secure.  The CFID and CFTOKEN are secure and httpOnly.

We followed instructions from a 2014 thread to make JSESSIONID session cookies secure and httpOnly.

Viewing in FireFox with DevTools, initially the JSESSIONID cookies are secure and httpOnly, but if you click on to another cookie, then come back to JSESSIONID, the cookie is NOT secure.

Viewing in IE11 with DevTools, the JSESSIONID cookie shows twice; once as secure and httpOnly, once as not secure but httpOnly.

What is happening??  I'm at a loss, on this one.


V/r,

^ _ ^

This topic has been closed for replies.

2 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
April 22, 2019

WolfShade  wrote

Hello, all,

We have been alerted to a minor finding.  JSESSIONID session cookies are not secure.  The CFID and CFTOKEN are secure and httpOnly.

We followed instructions from a 2014 thread to make JSESSIONID session cookies secure and httpOnly.

It would help to know which instructions you followed. They might need reviewing.

WolfShade
WolfShadeAuthor
Legend
April 24, 2019

The link provided by Dave Watts, https://geekflare.com/secure-cookie-flag-in-tomcat/.  Those instructions were followed, and it's still acting wonky.

V/r,

^ _ ^

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
April 24, 2019

I wish to add a third voice, confirming the suggestions you've received from Dave Watts and Pete_Freitag

The setting to use is

<session-config>

     <session-timeout>30</session-timeout>

     <cookie-config>

          <http-only>true</http-only>

          <secure>true</secure>

      </cookie-config>

</session-config>

or, equivalent, in /runtime/conf/web.xml of every instance.

D
Community Expert
Dave WattsCommunity Expert
Community Expert
April 19, 2019

If your initial connection is not secure, and gets redirected, I think you might end up with two copies of it. Do those copies have identical values?

What version of CF are you using?

I'd look at implementing the fixes shown here:

https://geekflare.com/secure-cookie-flag-in-tomcat/

Dave Watts, Eidolon LLC

Dave Watts, Eidolon LLC
WolfShade
WolfShadeAuthor
Legend
April 19, 2019

DISA STIG dictates that redirecting from http to https is a security vulnerability, so we no longer redirect :80 to :443.

Yes, the two cookies have identical values.  We are currently using CF11, I'm sure we have the latest updates.  As soon as a CF update is available, it is thoroughly scrutinized then applied as quickly as possible.

Thank you for that link.  I have passed it on to our DBA and our SA for review.

V/r,

^ _ ^

pete_freitag
pete_freitag
Participating Frequently
April 19, 2019

FYI Tomcat will set the JSESSIONID cookie as secure as long as it thinks the request is made over https. Not sure why you are getting two cookies, most often this is due to having some code that is trying to set a cookie manually.  I did some looking into this a few years ago: https://www.petefreitag.com/item/817.cfm

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices