How to Set up HTTPOnly and SECURE FLAG for session cookies

Hi BKBK,

Thanks for your comments.

I understood ,you answered to the question. But I have few questions here.

1]We dont have access to check this in CF Admin->Server Settings->Memory Variables. Any way This is a server level side solution and it may impact other applications in the same instance as well.Right?? But I think the impact is not a negative impact as we are just securing the session cookies.Right???

2]To do this via code , In Application.cfm (not using Application.cfc as our application is existing and old one) I created a structure with the required properties and passed this to the "sessioncookie" attribute in "cfapplication" tag as below.

  <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" setclientcookies="yes" sessioncookie=#cf_ssn_cookies# >

But it seems to be not working when I checked using chrome developer tools where I found empty values for the columns HTTP and SECURE as in the attached screen shot.

Here Could you pls tell me the method I followed to set HTTPOnly and Secure flag for the session cookies is correct or not. If it is correct plese let me know whether I am following correct steps using chrome web developer tool to check whether session cookies has been set with HTTPOnly and SECURE flag .

And If I am following correct steps to test why it is not working when checking in chrome developer tools.

Using cfapplication's sessioncookie attribute is fine, too. For completeness, use something like

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

so this will set HTTPOnly and SECURE flag for session cookies and I can test it using chrome web developer tool as I mentioned right??? ultimately I wanna know how we can test this whether cookies have been set with HTTPOnly and SECURE flag or not. Any ideas.

Yes, just use Chrome Developer Tools as you did before. Alternatively, open the page in Firefox, and view the cookies using the Firebug add-on.

But when I did this using chrome I found empty values for the columns HTTP and SECURE against the session cookies CFID and CFTOKEN. I have attached a screen shot for this in the above discussions . Can you pls tell me why this happens then. I restarted the server also but no luck. Any Thoughts???

I have just tested with the cfapplication tag I suggested above, and opened the test page in Chrome. It works as expected. The CFID and CFToken cookies are secure and HTTPOnly.

Run your own test page in Chrome. Then follow these steps to see the cookies: 4 Ways to View Cookies - wikiHow

I checked the way you explained and I found that the session cookies( CFID and CFTOKEN ) except JSESSIONID are setting up with HTTPOnly and SECURE flag. For JSESSIONID I am getting following details.

Note that when I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES.

So I think the the below code that we used is only for CF Session cookies and not for JSESSIONID. So this solution (below code) will not work for JSESSIONID.Right???. Please correct me if I am wrong. If I am correct could you please explain how can I make it work for JSESSIONID.

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes"sessioncookie="#cf_ssn_cookies#" >

Also When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.

Abdul,

Could you split this into different questions, which we can discuss, one at a time? Otherwise it all becomes unnecessarily complex.

Your original question was how to set Secure, HTTPOnly cookies and view them in the Chrome browser. If that problem is solved, then please say so, and close the subject, before raising further issues.

Abdul L Koyappayil wrote: So I think the the below code that we used is only for CF Session cookies and not for JSESSIONID. So this solution (below code) will not work for JSESSIONID.Right???.

Right.

All these issues are related that is the reason I am asking all these questions here.

And what about - When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.

I think only the unrelated question is how to set HTTPOnly and Secure flag for Jsessionid , I will post a separate question on this.

Abdul L Koyappayil wrote: All these issues are related that is the reason I am asking all these questions here.

Fair enough. But not all at once. Acknowledging the questions already answered makes the discussion less complex, hence more fruitful.

Abdul L Koyappayil wrote: And what about - When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.

Your description is broad. When you say you removed a piece of code, we still know nothing about what you left in. So what was the content of the Application.cfm that you tested with?

Ok I understood....sorry for the confusion..... let me explain.

Initially I created Application.cfm as below  (only below codes)

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

Later on I removed the attriobute 'sessioncookie="#cf_ssn_cookies#"' from the cfapplication tag ( This is what I meant to say with "When I removed the above piece of code") .... Sorry for the confusion. So now my Application.cfm contains only below code. At this time SECURE flag is not setting but HTTPOnly is always setting irrespective of the attribute (sessioncookie="#cf_ssn_cookies#") in cfapplication tag.

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" >

I hope you got it ...

Abdul L Koyappayil wrote: Ok I understood....sorry for the confusion..... let me explain. Initially I created Application.cfm as below  (only below codes) <cfset cf_ssn_cookies = {httponly='true', secure='true'}>   <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" > Later on I removed the attriobute 'sessioncookie="#cf_ssn_cookies#"' from the cfapplication tag ( This is what I meant to say with "When I removed the above piece of code") .... Sorry for the confusion. So now my Application.cfm contains only below code. At this time SECURE flag is not setting but HTTPOnly is always setting irrespective of the attribute (sessioncookie="#cf_ssn_cookies#") in cfapplication tag.   <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" > I hope you got it ...

Yes, I got it. Thanks. Good test style.

BKBK wrote: Yes, I got it. Thanks. Good test style.

What does this mean. the discussion is over or are still working on the three questions that posted above. Just to know....

Yes steve I am doing this as a result of PCI vulnerability scan.

Steve Sommers wrote: Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it.

Sorry, I couldnt undestand the sentence that I have marked as bold and italic,above. Could you please elaborate it in simple words.

Also I would like to inform you that when I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well . In the scanning report they have mentioned to set HTTPOnly and SECURE flag for SESSION COOKIES (I think this includes both CF SESSION COOKIES and JSESSIONID). But I think that I need to set those flags only for JSESSIONID (as J2EE SESSION is enabled in CF Admin) and not for CFID and CFTOKEN. Please have your inputs on this.

Abdul L Koyappayil wrote: So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well . In the scanning report they have mentioned to set HTTPOnly and SECURE flag for SESSION COOKIES (I think this includes both CF SESSION COOKIES and JSESSIONID). But I think that I need to set those flags only for JSESSIONID (as J2EE SESSION is enabled in CF Admin) and not for CFID and CFTOKEN. Please have your inputs on this.

You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

BKBK wrote: You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

I couldnt understand this. I mean how are you relating this with my question.

I have below questions as below. Kindly go through the below questions. Otherwise If needed I can post separate questions but I think all these are related and no need to post separate quesyions. Bu if you need I can do , np .....

1] When I removed the below piece of code from Application.cfm file , SECURE flag is not setting but HTTPOnly is always setting irrespective of the below piece of code. Any Idea why this is happening??.

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#"setclientcookies="yes"sessioncookie="#cf_ssn_cookies#" >

2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.

What is your Coldfusion version?

CF 10 . And web server is Apache

Abdul L Koyappayil wrote: CF 10 . And web server is Apache

OK, then my assumption was right. CF10 and 11 are built on Tomcat. That is relevant to the discussion. I will now take it up again.

Abdul L Koyappayil wrote: BKBK wrote: You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS. I couldnt understand this. I mean how are you relating this with my question.

When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.

1] When I removed the below piece of code from Application.cfm file , SECURE flag is not setting but HTTPOnly is always setting irrespective of the below piece of code. Any Idea why this is happening??.

My bet is that the setting HTTPOnly=true is the default (set, for example, in the Coldfusion Administrator). To switch it off, use

<cfset cf_ssn_cookies = {httponly='false'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.

3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.

It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.