Highlighted

Missing HttpOnly Attribute in Session Cookie

Contributor ,
Jun 26, 2014

Copy link to clipboard

Copied

I was just given a security scan result for one of our web apps that showed two problems:

  1. Missing HttpOnly Attribute in Session Cookie
  2. Missing Secure Attribute in Encrypted Session (SSL) Cookie

The interesting thing is that I have both client and domain cookies set to "No" in my Application.cfm file (this is an old application that uses CF8.  Maybe I don't understand the concept?

I found a piece of code that's supposed to secure cookies:

<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>

   <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">

   <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

</cfif>

But I get session.cfid and session.cftoken undefined errors.  Before I wrack my brain on something I obviously don't get, can someone steer me in the right direction?

Thanks in advance!

Views

698

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Missing HttpOnly Attribute in Session Cookie

Contributor ,
Jun 26, 2014

Copy link to clipboard

Copied

I was just given a security scan result for one of our web apps that showed two problems:

  1. Missing HttpOnly Attribute in Session Cookie
  2. Missing Secure Attribute in Encrypted Session (SSL) Cookie

The interesting thing is that I have both client and domain cookies set to "No" in my Application.cfm file (this is an old application that uses CF8.  Maybe I don't understand the concept?

I found a piece of code that's supposed to secure cookies:

<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>

   <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">

   <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

</cfif>

But I get session.cfid and session.cftoken undefined errors.  Before I wrack my brain on something I obviously don't get, can someone steer me in the right direction?

Thanks in advance!

Views

699

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jun 26, 2014 0

Have something to add?

Join the conversation