How to Set up HTTPOnly and SECURE FLAG for session cookies

Abdul L Koyappayil wrote:              If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.

Oops, I may have been wrong in assuming it is switched on by default in Tomcat. However, the essential point remains: to set the JsessionID 'secure' flag in Tomcat, not in Coldfusion.

Looking through the Tomcat settings, the prime candidate for configuration is the file {CF_INSTALLATION}\cfusion\runtime\conf\server.xml. Back-up the file before you proceed.

Open the file in a text editor. Uncomment the section

<!--

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

    -->

Save the result. Restart Coldfusion.

I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question.

I answered that already: the most obvious place is in the Coldfusion Administrator.

I am little confused here. I would like to clarify below things.

You said "When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected."

Here my question : For Apcahe vFabric ,setting secure flag for J2EE session cookie is working in the same way (as you explained above) as Apache Tomacat???

To set secure flag for JSESSIONID we need to uncomment the below section in the file {CF_INSTALLATION}\cfusion\runtime\conf\server.xml. Am I right???.

If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

Good question, Abdul. Change of plan.

On second thoughts, do not modify the server.xml file as I suggested. That is all too heavy-going and clumsy. There has to be a simpler solution.

There is one thing I know. Tomcat is configured to automatically flag the JsessionID cookie as secure when it detects HTTPS. The question is, why it fails to set the flag in your case. Let us look into this some more.

I was indeed mistaken. I have looked a bit more thoroughly at the Tomcat settings. Clearly, the configuration file we should be interested in is {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. Back-up the file before you proceed.

Open the file in a text editor. Replace the setting

    <session-config>

        <session-timeout>30</session-timeout>

    </session-config>

with the setting

<session-config>

     <session-timeout>30</session-timeout>

     <cookie-config>

          <http-only>true</http-only>

          <secure>true</secure>

      </cookie-config>

</session-config>

Save the result. Restart Coldfusion.

If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

This is a good question. It is in fact what made me have another look.

I expect no impact on the application. However, you would have backed up the file, which enables you to return to the previous scenario. You would also run the application a number of times after the change to test whether the settings are working as required. Let us know how you get on.

When I searched internet I found one below.

The ColdFusion 9.0.1 update added a server-wide setting to add the httponly attribute to all session cookies created by ColdFusion (such as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To enable this setting, if you are running a JRun J2EE installation or multi-server installation, you must edit jvm.config, otherwise you can enable this setting from the CF Administrator. If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

To enable this setting in a JRun J2EE installation or multi-server installation, you must define the following Java system property coldfusion.sessioncookie.httponly and set it to true . You can define Java system properties when the JVM is loaded by adding the following line:

-Dcoldfusion.sessioncookie.httponly=true

I think there are differenet ways to do this that is depends on J2ee server or Jrun server or muli-server. I am very confused after reading this.

Cant take a decision on what should I do to do this.

Can you pls guide me to know that how can I check whether my cf is installed on which server like j2ee or jrun or multi-server etc....

Accordingly I can put the solution and close this post.

Abdul L Koyappayil wrote: When I searched internet I found one below. The ColdFusion 9.0.1 update added a server-wide setting to add the httponly attribute to all session cookies created by ColdFusion (such as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To enable this setting, if you are running a JRun J2EE installation or multi-server installation, you must edit jvm.config, otherwise you can enable this setting from the CF Administrator. If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file. To enable this setting in a JRun J2EE installation or multi-server installation, you must define the following Java system property coldfusion.sessioncookie.httponly and set it to true . You can define Java system properties when the JVM is loaded by adding the following line: -Dcoldfusion.sessioncookie.httponly=true I think there are differenet ways to do this that is depends on J2ee server or Jrun server or muli-server. I am very confused after reading this.

That applies to Coldfusion 9.x. You can safely ignore it, because you are on Coldfusion 10.

Coldfusion underwent a big change between versions 9 and 10. The development team replaced the JRun server with Tomcat. That is why it is safe for you to ignore everything that relates to JRun. With one exception, however:

If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

This is equivalent to the suggestion in my last post.

Abdul L Koyappayil wrote: Can you pls guide me to know that how can I check whether my cf is installed on which server like j2ee or jrun or multi-server etc....

I see that just now. As I have said, Coldfusion 10 and 11 are built on Tomcat. To see the remaining details of your Coldfusion set-up, open the Coldfusion Administrator, and click on the link   in the top right-hand corner.

This thread has information that will help someone else in future. If you are satisfied, please mark what you consider to be the correct answer. If you find it necessary, add a further explanatory post, and mark it as the answer.

BKBK wrote: I was indeed mistaken. I have looked a bit more thoroughly at the Tomcat settings. Clearly, the configuration file we should be interested in is {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. Back-up the file before you proceed. Open the file in a text editor. Replace the setting     <session-config>         <session-timeout>30</session-timeout>     </session-config> with the setting <session-config>      <session-timeout>30</session-timeout>      <cookie-config>           <http-only>true</http-only>           <secure>true</secure>       </cookie-config> </session-config> Save the result. Restart Coldfusion. If I am right , uncommenting the below section will not impact the application(s) any way. What you think??? This is a good question. It is in fact what made me have another look. I expect no impact on the application. However, you would have backed up the file, which enables you to return to the previous scenario. You would also run the application a number of times after the change to test whether the settings are working as required. Let us know how you get on.

I tried this and restarted the cf instance. And then I checked the jsessionid in chrome browser I got below info , means its not setting the SECURE flag for jsession id. Had you tried this method before.

Any thoughts.

Note that I am using UNIX and I modified the below file

/opt/coldfusion/cfusion/runtime/conf/web.xml

I am on Windows, but that should not matter. I have just gone through the steps myself. The JsessionID cookie was stored as secure, as expected.

Here are the steps I followed, starting with Coldfusion's original /runtime/conf/web.xml file:

1) Open a CFM test page in Chrome.

2) Open Chrome's settings and read the JsessionID cookie. Its relevant attributes are

Send for: Any kind of connection

Accessible to script: No (HttpOnly)

3) Open Chrome's History settings and clear all browsing data 'since the beginning of time'. Close Chrome.

4) Stop Coldfusion. Edit the web.xml file as follows and save it:

<!--

<session-config>

        <session-timeout>30</session-timeout>

    </session-config>

-->

<session-config>

     <session-timeout>30</session-timeout>

     <cookie-config>

          <http-only>true</http-only>

          <secure>true</secure>

      </cookie-config>

</session-config>

5) Restart Coldfusion.

6) Open the same CFM test page in Chrome as you did in step 1).

7) Open Chrome's settings and read the JsessionID cookie. You should now observe that there is a change from "Send for: Any kind of connection" to "Send for: Secure connections only". See attached image, showing the cookie details before and after.

I tried the same thing. But still its not changing. I cleared all the browsing data and cookies and restarted the instance again.

The only difference between me and you is I am working on UNIX environment. So does this make any difference. I am not understanding.

Note :  I am modifying the file - /opt/coldfusion/cfusion/runtime/conf/web.xml. Can you just tell me the file (including path) you are modifying in windows , just to know.

As Steve Sommers posted - "Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it."  Do I need to make any modifications in the JVM config string in the CF Administrator as well apart from what we did in web.xml??? .... I was just thinking .....

Now its working fine. I modified the file /opt/coldfusion/{instance_name}/runtime/conf/web.xml instead of /opt/coldfusion/cfusion/runtime/conf/web.xml as I have more than 2 instances.

Now I need to think about that is there any issue while a hit is going from https to http. Because when I searched I found that there is hit going to an http site http://xyz.com from my application which is https, https://pqr.com.

BK , any thoughts on this I mean in which all the ways it(setting secure flag in https application) may impact , if a hit is going from https to http.

I know this might be a different topic , but still I think it is a related one . If you need to open a new discussion regarding this , no probs I can do that....

I am glad to hear it now works. You are right: we should explore the new issue in a thread of its own. Refreshing to close one chapter before opening another.