• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

How to secure CFGLOBALS cookie

Explorer ,
Sep 15, 2014 Sep 15, 2014

Copy link to clipboard

Copied

To secure CFGLOBALS  cookie I tried the following method as I did for CFID and CFTOKEN . But its not working for CFGLOBALS . Note that this method is working fine for CFID and CFTOKEN.

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

<cfapplication name="ABCD" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes"sessioncookie=#cf_ssn_cookies#>

Any idea why the HTTPOnly and SECURE flags are not setting up for CFGLOBALS cookie.

Views

2.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Explorer , Sep 22, 2014 Sep 22, 2014

This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.

Votes

Translate

Translate
Community Expert ,
Sep 15, 2014 Sep 15, 2014

Copy link to clipboard

Copied

This is turning out to be quite something. After a few unsuccessful coding attempts at securing the cookie, I went to the web in search of more information. To my surprise, I am unable to find any documentation on securing the CFGLOBALS cookie. Still looking.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 15, 2014 Sep 15, 2014

Copy link to clipboard

Copied

Ok.... But it is actually neccessary to secure CFGLOBALS cookie. Right?? Why I am asking this is because this cookie contain CFID and CFTOKEN values.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 16, 2014 Sep 16, 2014

Copy link to clipboard

Copied

I agree. It should be possible to make the cfglobals cookie secure and httponly, because it contains the session ID.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 18, 2014 Sep 18, 2014

Copy link to clipboard

Copied

I have reported this as a bug. Unfortunately, I am unable to refer you to a link. None exists, because Coldfusion's bugs site refrains from publishing security bug reports. If you wish, I can send you a summary.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 18, 2014 Sep 18, 2014

Copy link to clipboard

Copied

Ya .... Can you just send the summary.....

BK ,  can you do one more help. I have posted another question here How to prevent clickjacking issue in CF. If possible can you just look into it.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Please kindly mark the thread as correctly answered. If you are unsatisfied with the current answers, then please say so.

Alternatively, you may of course post a new message which you consider to be the correct or best explanation, and mark it as the correct answer. Rounding off a thread in this way will help others to quickly find solutions. Thanks.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 23, 2014 Sep 23, 2014

Copy link to clipboard

Copied

BK, Could you please inform me once you got any update from Adobe regarding this bug. I am not sure about their SLA.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 23, 2014 Sep 23, 2014

Copy link to clipboard

Copied

LATEST

Will inform this thread of any updates. I suspect that Adobe's SLA excludes the 'pushing' of updates on bug fixes. The customer has to 'pull' them himself.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation