Question
Setting Session Cookies To Be Secure
I know that you can set cookies to be secure via the Secure
attribute of CFCOOKIE, but if you have J2EE session variables
enabled in the CF Administrator (I'm using CFMX 6.1 Standard
Edition), I cannot seem to set JSESSIONID to be secure. Is there an
easy way do this?
An auditor recently reviewed the security of one of our web sites & said that session cookies need to be set to be secure. When a cookie is secure, you will see "secure" in the server header. For example, if I set CFID, CFTOKEN and JSESSIONID to secure using the CFCOOKIE tag and then view the server header, it would look like this:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 13 Jun 2006 12:55:05 GMT
Set-Cookie: CFID=26853;expires=Thu, 05-Jun-2036 12:45:28 GMT;path=/
Set-Cookie: CFTOKEN=ba3fb8d854ee8c71-CD759D8F-1279-D486-D9C2C39501020CBE;expires=Thu, 05-Jun-2036 12:45:28 GMT;path=/
Set-Cookie: JSESSIONID=52409b71948e$1B$7Bz$;path=/
Set-Cookie: CFID=26853; Secure;path=/
Set-Cookie: CFTOKEN=ba3fb8d854ee8c71%2DCD759D8F%2D1279%2DD486%2DD9C2C39501020CBE; Secure;path=/
Content-Type: text/html; charset=UTF-8
Note the secure setting for CFID and CFTOKEN, but not for JSESSIONID. Is there an easy way of setting JSESSIONID as secure without writing a Java Server Page to access and update the secure flag of JSESSIONID (which I believe would require upgrading from Standard Edition to Enterprise Edition)?
Any ideas or thoughts on this would be appreciated!
An auditor recently reviewed the security of one of our web sites & said that session cookies need to be set to be secure. When a cookie is secure, you will see "secure" in the server header. For example, if I set CFID, CFTOKEN and JSESSIONID to secure using the CFCOOKIE tag and then view the server header, it would look like this:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 13 Jun 2006 12:55:05 GMT
Set-Cookie: CFID=26853;expires=Thu, 05-Jun-2036 12:45:28 GMT;path=/
Set-Cookie: CFTOKEN=ba3fb8d854ee8c71-CD759D8F-1279-D486-D9C2C39501020CBE;expires=Thu, 05-Jun-2036 12:45:28 GMT;path=/
Set-Cookie: JSESSIONID=52409b71948e$1B$7Bz$;path=/
Set-Cookie: CFID=26853; Secure;path=/
Set-Cookie: CFTOKEN=ba3fb8d854ee8c71%2DCD759D8F%2D1279%2DD486%2DD9C2C39501020CBE; Secure;path=/
Content-Type: text/html; charset=UTF-8
Note the secure setting for CFID and CFTOKEN, but not for JSESSIONID. Is there an easy way of setting JSESSIONID as secure without writing a Java Server Page to access and update the secure flag of JSESSIONID (which I believe would require upgrading from Standard Edition to Enterprise Edition)?
Any ideas or thoughts on this would be appreciated!
AdChoices