Highlighted

How to secure CFGLOBALS cookie

Explorer ,
Sep 15, 2014

Copy link to clipboard

Copied

To secure CFGLOBALS  cookie I tried the following method as I did for CFID and CFTOKEN . But its not working for CFGLOBALS . Note that this method is working fine for CFID and CFTOKEN.

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

<cfapplication name="ABCD" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes"sessioncookie=#cf_ssn_cookies#>

Any idea why the HTTPOnly and SECURE flags are not setting up for CFGLOBALS cookie.

This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

How to secure CFGLOBALS cookie

Explorer ,
Sep 15, 2014

Copy link to clipboard

Copied

To secure CFGLOBALS  cookie I tried the following method as I did for CFID and CFTOKEN . But its not working for CFGLOBALS . Note that this method is working fine for CFID and CFTOKEN.

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

<cfapplication name="ABCD" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes"sessioncookie=#cf_ssn_cookies#>

Any idea why the HTTPOnly and SECURE flags are not setting up for CFGLOBALS cookie.

This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 15, 2014 0
Adobe Community Professional ,
Sep 15, 2014

Copy link to clipboard

Copied

This is turning out to be quite something. After a few unsuccessful coding attempts at securing the cookie, I went to the web in search of more information. To my surprise, I am unable to find any documentation on securing the CFGLOBALS cookie. Still looking.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2014 0
Explorer ,
Sep 15, 2014

Copy link to clipboard

Copied

Ok.... But it is actually neccessary to secure CFGLOBALS cookie. Right?? Why I am asking this is because this cookie contain CFID and CFTOKEN values.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2014 0
Adobe Community Professional ,
Sep 16, 2014

Copy link to clipboard

Copied

I agree. It should be possible to make the cfglobals cookie secure and httponly, because it contains the session ID.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 16, 2014 0
Adobe Community Professional ,
Sep 18, 2014

Copy link to clipboard

Copied

I have reported this as a bug. Unfortunately, I am unable to refer you to a link. None exists, because Coldfusion's bugs site refrains from publishing security bug reports. If you wish, I can send you a summary.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 18, 2014 0
Explorer ,
Sep 18, 2014

Copy link to clipboard

Copied

Ya .... Can you just send the summary.....

BK ,  can you do one more help. I have posted another question here How to prevent clickjacking issue in CF. If possible can you just look into it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 18, 2014 0
Adobe Community Professional ,
Sep 22, 2014

Copy link to clipboard

Copied

Please kindly mark the thread as correctly answered. If you are unsatisfied with the current answers, then please say so.

Alternatively, you may of course post a new message which you consider to be the correct or best explanation, and mark it as the correct answer. Rounding off a thread in this way will help others to quickly find solutions. Thanks.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 22, 2014 0
Explorer ,
Sep 22, 2014

Copy link to clipboard

Copied

This is appear to be a bug and it has been reported in Adobe. So I think we need to wait untill Adobe fix this bug.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 22, 2014 0
Explorer ,
Sep 23, 2014

Copy link to clipboard

Copied

BK, Could you please inform me once you got any update from Adobe regarding this bug. I am not sure about their SLA.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 23, 2014 0
BKBK LATEST
Adobe Community Professional ,
Sep 23, 2014

Copy link to clipboard

Copied

Will inform this thread of any updates. I suspect that Adobe's SLA excludes the 'pushing' of updates on bug fixes. The customer has to 'pull' them himself.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 23, 2014 0