Copy link to clipboard
Copied
To secure CFGLOBALS cookie I tried the following method as I did for CFID and CFTOKEN . But its not working for CFGLOBALS . Note that this method is working fine for CFID and CFTOKEN.
<cfset cf_ssn_cookies = {httponly='true', secure='true'}>
<cfapplication name="ABCD" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes"sessioncookie=#cf_ssn_cookies#>
Any idea why the HTTPOnly and SECURE flags are not setting up for CFGLOBALS cookie.
This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.
Copy link to clipboard
Copied
This is turning out to be quite something. After a few unsuccessful coding attempts at securing the cookie, I went to the web in search of more information. To my surprise, I am unable to find any documentation on securing the CFGLOBALS cookie. Still looking.
Copy link to clipboard
Copied
Ok.... But it is actually neccessary to secure CFGLOBALS cookie. Right?? Why I am asking this is because this cookie contain CFID and CFTOKEN values.
Copy link to clipboard
Copied
I agree. It should be possible to make the cfglobals cookie secure and httponly, because it contains the session ID.
Copy link to clipboard
Copied
I have reported this as a bug. Unfortunately, I am unable to refer you to a link. None exists, because Coldfusion's bugs site refrains from publishing security bug reports. If you wish, I can send you a summary.
Copy link to clipboard
Copied
Ya .... Can you just send the summary.....
BK , can you do one more help. I have posted another question here How to prevent clickjacking issue in CF. If possible can you just look into it.
Copy link to clipboard
Copied
Please kindly mark the thread as correctly answered. If you are unsatisfied with the current answers, then please say so.
Alternatively, you may of course post a new message which you consider to be the correct or best explanation, and mark it as the correct answer. Rounding off a thread in this way will help others to quickly find solutions. Thanks.
Copy link to clipboard
Copied
This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.
Copy link to clipboard
Copied
BK, Could you please inform me once you got any update from Adobe regarding this bug. I am not sure about their SLA.
Copy link to clipboard
Copied
Will inform this thread of any updates. I suspect that Adobe's SLA excludes the 'pushing' of updates on bug fixes. The customer has to 'pull' them himself.