Modify expiry date of Cookies- CFID and CFToken

Question

Persistent cookie(CFID and CFToken) have default expiry date 30 years ahead from the current date.

In our application, the security team finds this data vulnerable and here is the dump snippet provided :

Set-Cookie: CFID=576199; Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/;

Secure; HttpOnly

Set-Cookie: CFTOKEN=d52d0264379150e2-C2C656EB-9A1E-386D-0418A9B7776141C5;

Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/; Secure; HttpOnly

X-Xss-Protection: 1; m...TRUNCATED...

How can the expiry date of CFID and CFToken be modified?

Is there any configuration present in Cold fusion Admin ?

And after the modification, how can the change be checked ?

Charlie Arehart · Answer

Yes. Since cf10 you can change that in the cf admin, on the memory variables page.

You can also change at the application level, using an available sessioncookie struct that can be set in the this scope of application.cfc or as an atrribute of cfapplication.

Besides the docs, see this Adobe technote that introduced these and many other security improvements in cf10:

Security improvements in ColdFusion 10| Adobe Developer Connection

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded