Copy link to clipboard
Copied
Hello All,
Thanks for taking the time to go through my question.
I need to implement a security patch to an application to keep all cookies expiry to 1 day. By default, CF is setting to 2050. Added a piece of code on application.cfc to make it as 1 day.
<cfset this.sessioncookie.timeout = "1" >
However, it did work for CFID and CFTOKEN but not for CFGLOBALS cookie.
Any idea how to update the CFGLOBALS expiry as well?
Thank you
Copy link to clipboard
Copied
You should be able to rewrite any of these cookies so that they're limited by whatever limits you want to use. Here's an example.
https://www.petefreitag.com/item/764.cfm
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Thanks for the reply Dave. Yes, I already implemented a secure flag and it is working fine. But the problem is with changing the expiry date. I added code to change the expiry date to 1 day using <cfset this.sessioncookie.timeout = "1" > in application.cfc.
Which is changing to 1 day for CFID and CFTOKEN but not for CFGLOBALS.
Copy link to clipboard
Copied
Take a look at Pete's example. He's setting all the built-in sessioncookie variables to false, then has conditional logic to explicitly create the cookies. You should be able to set any cookie value you want that way. Here's his example extended for CFGLOBALS (note, I don't know exactly what's in CFGLOBALS and would need to figure that out to make this complete. Also, his example creates true session cookies which will be deleted when the browser is closed, you'd have to explicitly add a date in the CFHEADERs for keeping them one day.
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFGLOBALS=...;path=/;HTTPOnly">
</cfif>
Dave Watts, Eidolon LLC