Copy link to clipboard
Copied
Persistent cookie(CFID and CFToken) have default expiry date 30 years ahead from the current date.
In our application, the security team finds this data vulnerable and here is the dump snippet provided :
Set-Cookie: CFID=576199; Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/;
Secure; HttpOnly
Set-Cookie: CFTOKEN=d52d0264379150e2-C2C656EB-9A1E-386D-0418A9B7776141C5;
Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/; Secure; HttpOnly
X-Xss-Protection: 1; m...TRUNCATED...
How can the expiry date of CFID and CFToken be modified?
Is there any configuration present in Cold fusion Admin ?
And after the modification, how can the change be checked ?
Copy link to clipboard
Copied
Yes. Since cf10 you can change that in the cf admin, on the memory variables page.
You can also change at the application level, using an available sessioncookie struct that can be set in the this scope of application.cfc or as an atrribute of cfapplication.
Besides the docs, see this Adobe technote that introduced these and many other security improvements in cf10:
Security improvements in ColdFusion 10| Adobe Developer Connection