Highlighted

Could not disable HttpOnly flag in browser via CF

Explorer ,
Jan 09, 2020

Copy link to clipboard

Copied

In our application, we use J2EE session variables for session management. We recently migrated from ColdFusion 9 to ColdFusion 2018. After migration, the logout functionality is not working. What we found is that, in ColdFusion 2018, the cookie JSESSIONID is not getting cleared from the browser because the HttpOnly flag has been set to true in the browser.

 

We tried to disable this HttpOnly flag in the browser in following ways,

  1. By disabling HttpOnly flag and Global Script Protection in CF admin.
  2. By modifying the jvm.config via CF admin by adding "-Dcoldfusion.sessioncookie.httponly=false".

 

But this way the HttpOnly flag is still showing as enabled in the browser. Because of this, the client-side script is not able to clear the cookie JSESSIONID and hence logout functionality is not working.

 

Is there any way, in CF2018, to disable the HttpOnly flag in the browser for the cookie JSESSIONID?.

 

Note:

  1. In CF9, the HttpOnly flag is disabled in the browser for the cookie JSESSIONID.
  2. We use the CF2018 enterprise edition (Trial Version, not yet expired).
  3. Restarted CF services after updating the settings in CF admin.

 

 

TOPICS
Security, Server administration

Views

601

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Could not disable HttpOnly flag in browser via CF

Explorer ,
Jan 09, 2020

Copy link to clipboard

Copied

In our application, we use J2EE session variables for session management. We recently migrated from ColdFusion 9 to ColdFusion 2018. After migration, the logout functionality is not working. What we found is that, in ColdFusion 2018, the cookie JSESSIONID is not getting cleared from the browser because the HttpOnly flag has been set to true in the browser.

 

We tried to disable this HttpOnly flag in the browser in following ways,

  1. By disabling HttpOnly flag and Global Script Protection in CF admin.
  2. By modifying the jvm.config via CF admin by adding "-Dcoldfusion.sessioncookie.httponly=false".

 

But this way the HttpOnly flag is still showing as enabled in the browser. Because of this, the client-side script is not able to clear the cookie JSESSIONID and hence logout functionality is not working.

 

Is there any way, in CF2018, to disable the HttpOnly flag in the browser for the cookie JSESSIONID?.

 

Note:

  1. In CF9, the HttpOnly flag is disabled in the browser for the cookie JSESSIONID.
  2. We use the CF2018 enterprise edition (Trial Version, not yet expired).
  3. Restarted CF services after updating the settings in CF admin.

 

 

TOPICS
Security, Server administration

Views

602

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jan 09, 2020 0
Adobe Community Professional ,
Jan 10, 2020

Copy link to clipboard

Copied

Abdul, can you clarify if you are testing things from a browser that has none of the cookies (where all those for your site have been deleted/don't exist), as a starting point? What happens when you do?

 

That said, since you are talking about the cf jsessionid cookies, those by default have no expiration set and should be cleared by simply closing the browser (and ensuring all instances of it are closed).

 

Finally, this challenge of yours is a situation where using your browser's Dev tools would be valuable, to see (and optionally delete) the cookies existing on the browser, as well as to see those being set by cf (being sent down from cf as response headers).

 

This would also show things like the httponly and other attributes of the cookies sent down or existing on the browser. If you may not be familiar with such tools, Google should help you find how to use them in your browser, as all support them. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 10, 2020 0
Adobe Community Professional ,
Jan 10, 2020

Copy link to clipboard

Copied

I'm pretty sure you can't control the behavior of the JSESSIONID cookie in CF. That's issued by Tomcat really, not by CF, and has a bunch of security rules attached to it. You might be able to modify that behavior in Tomcat's configuration, but it wouldn't be recommended for security reasons. I don't see why you'd want to disable HttpOnly anyway.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 10, 2020 0
Advocate ,
Jan 10, 2020

Copy link to clipboard

Copied

I strongly agree with Dave here. The JSESSIONID cookie is intended for CF to manage sessions. You should not be messing with it.

The mechanism you use to determine whether or not a user is logged into your application should be completely independent of the JSESSIONID cookie.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 10, 2020 0