• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Modify expiry date of Cookies- CFID and CFToken

New Here ,
Nov 19, 2018 Nov 19, 2018

Copy link to clipboard

Copied

Persistent cookie(CFID and CFToken) have default expiry date 30 years ahead from the current date.

In our application, the security team finds this data vulnerable and here is the dump snippet provided :

Set-Cookie: CFID=576199; Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/;

Secure; HttpOnly

Set-Cookie: CFTOKEN=d52d0264379150e2-C2C656EB-9A1E-386D-0418A9B7776141C5;

Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/; Secure; HttpOnly

X-Xss-Protection: 1; m...TRUNCATED...

How can the expiry date of CFID and CFToken be modified?

Is there any configuration present in Cold fusion Admin ?

And after the modification, how can the change be checked ?

Views

773

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 19, 2018 Nov 19, 2018

Copy link to clipboard

Copied

LATEST

Yes. Since cf10 you can change that in the cf admin, on the memory variables page.

You can also change at the application level, using an available sessioncookie struct that can be set in the this scope of application.cfc or as an atrribute of cfapplication.

Besides the docs, see this Adobe technote that introduced these and many other security improvements in cf10:

Security improvements in ColdFusion 10| Adobe Developer Connection


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation