Highlighted

Modify expiry date of Cookies- CFID and CFToken

New Here ,
Nov 19, 2018

Copy link to clipboard

Copied

Persistent cookie(CFID and CFToken) have default expiry date 30 years ahead from the current date.

In our application, the security team finds this data vulnerable and here is the dump snippet provided :

Set-Cookie: CFID=576199; Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/;

Secure; HttpOnly

Set-Cookie: CFTOKEN=d52d0264379150e2-C2C656EB-9A1E-386D-0418A9B7776141C5;

Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/; Secure; HttpOnly

X-Xss-Protection: 1; m...TRUNCATED...

How can the expiry date of CFID and CFToken be modified?

Is there any configuration present in Cold fusion Admin ?

And after the modification, how can the change be checked ?

Views

406

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Modify expiry date of Cookies- CFID and CFToken

New Here ,
Nov 19, 2018

Copy link to clipboard

Copied

Persistent cookie(CFID and CFToken) have default expiry date 30 years ahead from the current date.

In our application, the security team finds this data vulnerable and here is the dump snippet provided :

Set-Cookie: CFID=576199; Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/;

Secure; HttpOnly

Set-Cookie: CFTOKEN=d52d0264379150e2-C2C656EB-9A1E-386D-0418A9B7776141C5;

Expires=Wed, 15-Jul-2048 10:26:57 GMT; Path=/; Secure; HttpOnly

X-Xss-Protection: 1; m...TRUNCATED...

How can the expiry date of CFID and CFToken be modified?

Is there any configuration present in Cold fusion Admin ?

And after the modification, how can the change be checked ?

Views

407

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Nov 19, 2018 0
Adobe Community Professional ,
Nov 19, 2018

Copy link to clipboard

Copied

Yes. Since cf10 you can change that in the cf admin, on the memory variables page.

You can also change at the application level, using an available sessioncookie struct that can be set in the this scope of application.cfc or as an atrribute of cfapplication.

Besides the docs, see this Adobe technote that introduced these and many other security improvements in cf10:

Security improvements in ColdFusion 10| Adobe Developer Connection

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Nov 19, 2018 1