securing the cfglobal cookie

Question

Our company was doing security scans on our https website and reported to me that the cfglobal cookie is not being served securely. I did some reading and tried the following solutions to fix this. After checking the headers I still have an unsecured cfglobal cookie. Here's what I tried:

CF Administrator -> Memory Varialbles -> Check Secure Cookie and HTTPOnly
in Application.cfc added the following cfscript code:
- this.sessioncookie.httponly = true;
- this.sessioncookie.secure = "true"

Header:

I don't know what else to do. I thought checking secure cookie in CF Administrator forces all the cookies to be served securly???

pete_freitag · Answer

If you do not use client variables then the CFGLOBALS cookie is not required, so if that is the case make sure you have clientManagement set to false in your Application.cfc or cfm.

There is not a setting a CF that adds the secure flag to the cookie so you can use your Web Server to modify the cookie value, here's an example of how to do that using IIS: https://www.petefreitag.com/item/850.cfm

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded