How to Set up HTTPOnly and SECURE FLAG for session cookies

Explorer ,
Sep 01, 2014 Sep 01, 2014

Copy link to clipboard

Copied

Hi All,

To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.

I have found the below solutions.

For setting up the HTTPOnly for the session cookies.

1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables

     this.sessioncookie.httponly = true;

For setting up the secure flag for the session cookies.

2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables

     this.sessioncookie.secure = "true"

Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).

<cfapplication setclientcookies="false" sessionmanagement="true" name="test">

<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>

  <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">

  <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

</cfif>

But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.

Your timely help is well appreciated.

Thanks in advance.

Views

14.3K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Adobe Community Professional , Sep 08, 2014 Sep 08, 2014
As I said earlier, the file I modified was {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. That translates on Windows as C:\ColdFusion11\cfusion\runtime\conf\web.xml.Apparently, there might be another difference between your system and mine. I have just one instance. If you have 2 or more instances, it might be that the file you have to modify is \WEB-INF\web.xml within the directory of the particular instance. These are servlet configuration settings which you can safely test (after backing up ...

Likes

Translate

Translate
Adobe Community Professional ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10).

You can do it in the Coldfusion Administrator. Navigate to the Memory Variables page. Tick the checkbox HTTPOnly. Click on the button to Submit Changes.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

Hi BKBK,

Thanks for your comments.

I understood ,you answered to the question. But I have few questions here.

1]We dont have access to check this in CF Admin->Server Settings->Memory Variables. Any way This is a server level side solution and it may impact other applications in the same instance as well.Right?? But I think the impact is not a negative impact as we are just securing the session cookies.Right???

2]To do this via code , In Application.cfm (not using Application.cfc as our application is existing and old one) I created a structure with the required properties and passed this to the "sessioncookie" attribute in "cfapplication" tag as below.

  <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" setclientcookies="yes" sessioncookie=#cf_ssn_cookies# >

But it seems to be not working when I checked using chrome developer tools where I found empty values for the columns HTTP and SECURE as in the attached screen shot.

cookies2.png

Here Could you pls tell me the method I followed to set HTTPOnly and Secure flag for the session cookies is correct or not. If it is correct plese let me know whether I am following correct steps using chrome web developer tool to check whether session cookies has been set with HTTPOnly and SECURE flag .

And If I am following correct steps to test why it is not working when checking in chrome developer tools.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

Using cfapplication's sessioncookie attribute is fine, too. For completeness, use something like

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

so this will set HTTPOnly and SECURE flag for session cookies and I can test it using chrome web developer tool as I mentioned right??? ultimately I wanna know how we can test this whether cookies have been set with HTTPOnly and SECURE flag or not. Any ideas.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

Yes, just use Chrome Developer Tools as you did before. Alternatively, open the page in Firefox, and view the cookies using the Firebug add-on.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

But when I did this using chrome I found empty values for the columns HTTP and SECURE against the session cookies CFID and CFTOKEN. I have attached a screen shot for this in the above discussions . Can you pls tell me why this happens then. I restarted the server also but no luck. Any Thoughts???

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

I have just tested with the cfapplication tag I suggested above, and opened the test page in Chrome. It works as expected. The CFID and CFToken cookies are secure and HTTPOnly.

Run your own test page in Chrome. Then follow these steps to see the cookies: 4 Ways to View Cookies - wikiHow

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

I checked the way you explained and I found that the session cookies( CFID and CFTOKEN ) except JSESSIONID are setting up with HTTPOnly and SECURE flag. For JSESSIONID I am getting following details.


Note that when I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES.

So I think the the below code that we used is only for CF Session cookies and not for JSESSIONID. So this solution (below code) will not work for JSESSIONID.Right???. Please correct me if I am wrong. If I am correct could you please explain how can I make it work for JSESSIONID.

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes"sessioncookie="#cf_ssn_cookies#" >

Also When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul,

Could you split this into different questions, which we can discuss, one at a time? Otherwise it all becomes unnecessarily complex.

Your original question was how to set Secure, HTTPOnly cookies and view them in the Chrome browser. If that problem is solved, then please say so, and close the subject, before raising further issues.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

So I think the the below code that we used is only for CF Session cookies and not for JSESSIONID. So this solution (below code) will not work for JSESSIONID.Right???.

Right.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

All these issues are related that is the reason I am asking all these questions here.

And what about - When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.


I think only the unrelated question is how to set HTTPOnly and Secure flag for Jsessionid , I will post a separate question on this.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

All these issues are related that is the reason I am asking all these questions here.

Fair enough. But not all at once. Acknowledging the questions already answered makes the discussion less complex, hence more fruitful.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

And what about - When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.

Your description is broad. When you say you removed a piece of code, we still know nothing about what you left in. So what was the content of the Application.cfm that you tested with?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Ok I understood....sorry for the confusion..... let me explain.

Initially I created Application.cfm as below  (only below codes)

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

Later on I removed the attriobute 'sessioncookie="#cf_ssn_cookies#"' from the cfapplication tag ( This is what I meant to say with "When I removed the above piece of code") .... Sorry for the confusion. So now my Application.cfm contains only below code. At this time SECURE flag is not setting but HTTPOnly is always setting irrespective of the attribute (sessioncookie="#cf_ssn_cookies#") in cfapplication tag.

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" >

I hope you got it ...

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Ok I understood....sorry for the confusion..... let me explain.

Initially I created Application.cfm as below  (only below codes)

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

Later on I removed the attriobute 'sessioncookie="#cf_ssn_cookies#"' from the cfapplication tag ( This is what I meant to say with "When I removed the above piece of code") .... Sorry for the confusion. So now my Application.cfm contains only below code. At this time SECURE flag is not setting but HTTPOnly is always setting irrespective of the attribute (sessioncookie="#cf_ssn_cookies#") in cfapplication tag.

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" >

I hope you got it ...

Yes, I got it. Thanks. Good test style.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

BKBK wrote:

Yes, I got it. Thanks. Good test style.

What does this mean. the discussion is over or are still working on the three questions that posted above. Just to know....

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 02, 2014 Sep 02, 2014

Copy link to clipboard

Copied

Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Yes steve I am doing this as a result of PCI vulnerability scan.

Steve Sommers wrote:

Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it.

Sorry, I couldnt undestand the sentence that I have marked as bold and italic,above. Could you please elaborate it in simple words.

Also I would like to inform you that when I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well . In the scanning report they have mentioned to set HTTPOnly and SECURE flag for SESSION COOKIES (I think this includes both CF SESSION COOKIES and JSESSIONID). But I think that I need to set those flags only for JSESSIONID (as J2EE SESSION is enabled in CF Admin) and not for CFID and CFTOKEN. Please have your inputs on this.



Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well . In the scanning report they have mentioned to set HTTPOnly and SECURE flag for SESSION COOKIES (I think this includes both CF SESSION COOKIES and JSESSIONID). But I think that I need to set those flags only for JSESSIONID (as J2EE SESSION is enabled in CF Admin) and not for CFID and CFTOKEN. Please have your inputs on this.

You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

BKBK wrote:

You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

I couldnt understand this. I mean how are you relating this with my question.

I have below questions as below. Kindly go through the below questions. Otherwise If needed I can post separate questions but I think all these are related and no need to post separate quesyions. Bu if you need I can do , np .....

1] When I removed the below piece of code from Application.cfm file , SECURE flag is not setting but HTTPOnly is always setting irrespective of the below piece of code. Any Idea why this is happening??.

    

<cfset cf_ssn_cookies = {httponly='true', secure='true'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#"setclientcookies="yes"sessioncookie="#cf_ssn_cookies#" >

2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.




Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

What is your Coldfusion version?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

CF 10 . And web server is Apache

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

CF 10 . And web server is Apache

OK, then my assumption was right. CF10 and 11 are built on Tomcat. That is relevant to the discussion. I will now take it up again.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 03, 2014 Sep 03, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

BKBK wrote:

You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

I couldnt understand this. I mean how are you relating this with my question.

When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.

1] When I removed the below piece of code from Application.cfm file , SECURE flag is not setting but HTTPOnly is always setting irrespective of the below piece of code. Any Idea why this is happening??.

My bet is that the setting HTTPOnly=true is the default (set, for example, in the Coldfusion Administrator). To switch it off, use

<cfset cf_ssn_cookies = {httponly='false'}>

  <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.

3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.

It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines