• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

How to Set up HTTPOnly and SECURE FLAG for session cookies

Explorer ,
Sep 01, 2014 Sep 01, 2014

Copy link to clipboard

Copied

Hi All,

To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.

I have found the below solutions.

For setting up the HTTPOnly for the session cookies.

1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables

     this.sessioncookie.httponly = true;

For setting up the secure flag for the session cookies.

2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables

     this.sessioncookie.secure = "true"

Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).

<cfapplication setclientcookies="false" sessionmanagement="true" name="test">

<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>

  <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">

  <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

</cfif>

But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.

Your timely help is well appreciated.

Thanks in advance.

Views

21.8K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Sep 08, 2014 Sep 08, 2014

As I said earlier, the file I modified was {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. That translates on Windows as C:\ColdFusion11\cfusion\runtime\conf\web.xml.

Apparently, there might be another difference between your system and mine. I have just one instance. If you have 2 or more instances, it might be that the file you have to modify is \WEB-INF\web.xml within the directory of the particular instance. These are servlet configuration settings which you can safely test (after backing up

...

Votes

Translate

Translate
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

BKBK wrote:

Abdul L Koyappayil wrote:

BKBK wrote:

You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

I couldnt understand this. I mean how are you relating this with my question.

When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.

         

     If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.

    

BKBK wrote:

2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.

     I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.

BKBK wrote:

3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.

It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.

     I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

       

     If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.

Oops, I may have been wrong in assuming it is switched on by default in Tomcat. However, the essential point remains: to set the JsessionID 'secure' flag in Tomcat, not in Coldfusion.

Looking through the Tomcat settings, the prime candidate for configuration is the file {CF_INSTALLATION}\cfusion\runtime\conf\server.xml. Back-up the file before you proceed.

Open the file in a text editor. Uncomment the section

<!--

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

    -->

Save the result. Restart Coldfusion.

    I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question.

I answered that already: the most obvious place is in the Coldfusion Administrator.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

I am little confused here. I would like to clarify below things.

You said "When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected."

Here my question : For Apcahe vFabric ,setting secure flag for J2EE session cookie is working in the same way (as you explained above) as Apache Tomacat???

To set secure flag for JSESSIONID we need to uncomment the below section in the file {CF_INSTALLATION}\cfusion\runtime\conf\server.xml. Am I right???.

If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 04, 2014 Sep 04, 2014

Copy link to clipboard

Copied

Good question, Abdul. Change of plan.

On second thoughts, do not modify the server.xml file as I suggested. That is all too heavy-going and clumsy. There has to be a simpler solution.

There is one thing I know. Tomcat is configured to automatically flag the JsessionID cookie as secure when it detects HTTPS. The question is, why it fails to set the flag in your case. Let us look into this some more.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 04, 2014 Sep 04, 2014

Copy link to clipboard

Copied

I was indeed mistaken. I have looked a bit more thoroughly at the Tomcat settings. Clearly, the configuration file we should be interested in is {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. Back-up the file before you proceed.

Open the file in a text editor. Replace the setting

    <session-config>

        <session-timeout>30</session-timeout>

    </session-config>

with the setting

<session-config>

     <session-timeout>30</session-timeout>

     <cookie-config>

          <http-only>true</http-only>

          <secure>true</secure>

      </cookie-config>

</session-config>

Save the result. Restart Coldfusion.

If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

This is a good question. It is in fact what made me have another look.

I expect no impact on the application. However, you would have backed up the file, which enables you to return to the previous scenario. You would also run the application a number of times after the change to test whether the settings are working as required. Let us know how you get on.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 04, 2014 Sep 04, 2014

Copy link to clipboard

Copied

When I searched internet I found one below.

The ColdFusion 9.0.1 update added a server-wide setting to add the httponly attribute to all session cookies created by ColdFusion (such as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To enable this setting, if you are running a JRun J2EE installation or multi-server installation, you must edit jvm.config, otherwise you can enable this setting from the CF Administrator. If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

To enable this setting in a JRun J2EE installation or multi-server installation, you must define the following Java system property coldfusion.sessioncookie.httponly and set it to true . You can define Java system properties when the JVM is loaded by adding the following line:

-Dcoldfusion.sessioncookie.httponly=true

I think there are differenet ways to do this that is depends on J2ee server or Jrun server or muli-server. I am very confused after reading this.

Cant take a decision on what should I do to do this.

Can you pls guide me to know that how can I check whether my cf is installed on which server like j2ee or jrun or multi-server etc....

Accordingly I can put the solution and close this post.




Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 04, 2014 Sep 04, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

When I searched internet I found one below.

The ColdFusion 9.0.1 update added a server-wide setting to add the httponly attribute to all session cookies created by ColdFusion (such as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To enable this setting, if you are running a JRun J2EE installation or multi-server installation, you must edit jvm.config, otherwise you can enable this setting from the CF Administrator. If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

To enable this setting in a JRun J2EE installation or multi-server installation, you must define the following Java system property coldfusion.sessioncookie.httponly and set it to true . You can define Java system properties when the JVM is loaded by adding the following line:

-Dcoldfusion.sessioncookie.httponly=true

I think there are differenet ways to do this that is depends on J2ee server or Jrun server or muli-server. I am very confused after reading this.

That applies to Coldfusion 9.x. You can safely ignore it, because you are on Coldfusion 10.

Coldfusion underwent a big change between versions 9 and 10. The development team replaced the JRun server with Tomcat. That is why it is safe for you to ignore everything that relates to JRun. With one exception, however:

If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

This is equivalent to the suggestion in my last post.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 04, 2014 Sep 04, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Can you pls guide me to know that how can I check whether my cf is installed on which server like j2ee or jrun or multi-server etc....

I see that just now. As I have said, Coldfusion 10 and 11 are built on Tomcat. To see the remaining details of your Coldfusion set-up, open the Coldfusion Administrator, and click on the link   in the top right-hand corner.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 04, 2014 Sep 04, 2014

Copy link to clipboard

Copied

This thread has information that will help someone else in future. If you are satisfied, please mark what you consider to be the correct answer. If you find it necessary, add a further explanatory post, and mark it as the answer.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 08, 2014 Sep 08, 2014

Copy link to clipboard

Copied

BKBK wrote:

I was indeed mistaken. I have looked a bit more thoroughly at the Tomcat settings. Clearly, the configuration file we should be interested in is {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. Back-up the file before you proceed.

Open the file in a text editor. Replace the setting

    <session-config>

        <session-timeout>30</session-timeout>

    </session-config>

with the setting

<session-config>

     <session-timeout>30</session-timeout>

     <cookie-config>

          <http-only>true</http-only>

          <secure>true</secure>

      </cookie-config>

</session-config>

Save the result. Restart Coldfusion.

If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

This is a good question. It is in fact what made me have another look.

I expect no impact on the application. However, you would have backed up the file, which enables you to return to the previous scenario. You would also run the application a number of times after the change to test whether the settings are working as required. Let us know how you get on.

I tried this and restarted the cf instance. And then I checked the jsessionid in chrome browser I got below info , means its not setting the SECURE flag for jsession id. Had you tried this method before.

Any thoughts.

Note that I am using UNIX and I modified the below file

/opt/coldfusion/cfusion/runtime/conf/web.xml

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 08, 2014 Sep 08, 2014

Copy link to clipboard

Copied

I am on Windows, but that should not matter. I have just gone through the steps myself. The JsessionID cookie was stored as secure, as expected.

Here are the steps I followed, starting with Coldfusion's original /runtime/conf/web.xml file:

1) Open a CFM test page in Chrome.

2) Open Chrome's settings and read the JsessionID cookie. Its relevant attributes are

Send for: Any kind of connection

Accessible to script: No (HttpOnly)

3) Open Chrome's History settings and clear all browsing data 'since the beginning of time'. Close Chrome.

4) Stop Coldfusion. Edit the web.xml file as follows and save it:

<!--

<session-config>

        <session-timeout>30</session-timeout>

    </session-config>

-->

<session-config>

     <session-timeout>30</session-timeout>

     <cookie-config>

          <http-only>true</http-only>

          <secure>true</secure>

      </cookie-config>

</session-config>

5) Restart Coldfusion.

6) Open the same CFM test page in Chrome as you did in step 1).

7) Open Chrome's settings and read the JsessionID cookie. You should now observe that there is a change from "Send for: Any kind of connection" to "Send for: Secure connections only". See attached image, showing the cookie details before and after.

jsessionID_cookie.png



Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 08, 2014 Sep 08, 2014

Copy link to clipboard

Copied

I tried the same thing. But still its not changing. I cleared all the browsing data and cookies and restarted the instance again.

The only difference between me and you is I am working on UNIX environment. So does this make any difference. I am not understanding.

Note :  I am modifying the file - /opt/coldfusion/cfusion/runtime/conf/web.xml. Can you just tell me the file (including path) you are modifying in windows , just to know.

jsess_cookie.jpg

As Steve Sommers posted - "Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it."  Do I need to make any modifications in the JVM config string in the CF Administrator as well apart from what we did in web.xml??? .... I was just thinking .....

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 08, 2014 Sep 08, 2014

Copy link to clipboard

Copied

As I said earlier, the file I modified was {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. That translates on Windows as C:\ColdFusion11\cfusion\runtime\conf\web.xml.

Apparently, there might be another difference between your system and mine. I have just one instance. If you have 2 or more instances, it might be that the file you have to modify is \WEB-INF\web.xml within the directory of the particular instance. These are servlet configuration settings which you can safely test (after backing up your files, of course).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 08, 2014 Sep 08, 2014

Copy link to clipboard

Copied

Now its working fine. I modified the file /opt/coldfusion/{instance_name}/runtime/conf/web.xml instead of /opt/coldfusion/cfusion/runtime/conf/web.xml as I have more than 2 instances.

Now I need to think about that is there any issue while a hit is going from https to http. Because when I searched I found that there is hit going to an http site http://xyz.com from my application which is https, https://pqr.com.

BK , any thoughts on this I mean in which all the ways it(setting secure flag in https application) may impact , if a hit is going from https to http.

I know this might be a different topic , but still I think it is a related one . If you need to open a new discussion regarding this , no probs I can do that....

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 08, 2014 Sep 08, 2014

Copy link to clipboard

Copied

LATEST

I am glad to hear it now works. You are right: we should explore the new issue in a thread of its own. Refreshing to close one chapter before opening another.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation