securing the cfglobal cookie

Report · Apr 23, 2018

Our company was doing security scans on our https website and reported to me that the cfglobal cookie is not being served securely. I did some reading and tried the following solutions to fix this. After checking the headers I still have an unsecured cfglobal cookie. Here's what I tried:

CF Administrator -> Memory Varialbles -> Check Secure Cookie and HTTPOnly
in Application.cfc added the following cfscript code:
- this.sessioncookie.httponly = true;
- this.sessioncookie.secure = "true"

Header:

I don't know what else to do. I thought checking secure cookie in CF Administrator forces all the cookies to be served securly???

Report · Aug 31, 2018

If you do not use client variables then the CFGLOBALS cookie is not required, so if that is the case make sure you have clientManagement set to false in your Application.cfc or cfm.

There is not a setting a CF that adds the secure flag to the cookie so you can use your Web Server to modify the cookie value, here's an example of how to do that using IIS: https://www.petefreitag.com/item/850.cfm