cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Missing HttpOnly Attribute in Session Cookie

BreakawayPaul
Contributor ,
Jun 26, 2014 Jun 26, 2014

Copy link to clipboard

Copied

I was just given a security scan result for one of our web apps that showed two problems:

  1. Missing HttpOnly Attribute in Session Cookie
  2. Missing Secure Attribute in Encrypted Session (SSL) Cookie

The interesting thing is that I have both client and domain cookies set to "No" in my Application.cfm file (this is an old application that uses CF8.  Maybe I don't understand the concept?

I found a piece of code that's supposed to secure cookies:

<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>

   <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">

   <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

</cfif>

But I get session.cfid and session.cftoken undefined errors.  Before I wrack my brain on something I obviously don't get, can someone steer me in the right direction?

Thanks in advance!

Views

951

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
no replies

Have something to add?

Join the conversation
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices