Highlighted

securing the cfglobal cookie

New Here ,
Apr 23, 2018

Copy link to clipboard

Copied

Our company was doing security scans on our https website and reported to me that the cfglobal cookie is not being served securely.  I did some reading and tried the following solutions to fix this.  After checking the headers I still have an unsecured cfglobal cookie.  Here's what I tried:

  1. CF Administrator -> Memory Varialbles -> Check Secure Cookie and HTTPOnly
  2. in Application.cfc added the following cfscript code:
    • this.sessioncookie.httponly = true;
    • this.sessioncookie.secure = "true"

Header:

Capture.PNG

I don't know what else to do.  I thought checking secure cookie in CF Administrator forces all the cookies to be served securly???

Views

424

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

securing the cfglobal cookie

New Here ,
Apr 23, 2018

Copy link to clipboard

Copied

Our company was doing security scans on our https website and reported to me that the cfglobal cookie is not being served securely.  I did some reading and tried the following solutions to fix this.  After checking the headers I still have an unsecured cfglobal cookie.  Here's what I tried:

  1. CF Administrator -> Memory Varialbles -> Check Secure Cookie and HTTPOnly
  2. in Application.cfc added the following cfscript code:
    • this.sessioncookie.httponly = true;
    • this.sessioncookie.secure = "true"

Header:

Capture.PNG

I don't know what else to do.  I thought checking secure cookie in CF Administrator forces all the cookies to be served securly???

Views

425

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Apr 23, 2018 0
Enthusiast ,
Aug 31, 2018

Copy link to clipboard

Copied

If you do not use client variables then the CFGLOBALS cookie is not required, so if that is the case make sure you have clientManagement set to false in your Application.cfc or cfm.

There is not a setting a CF that adds the secure flag to the cookie so you can use your Web Server to modify the cookie value, here's an example of how to do that using IIS: https://www.petefreitag.com/item/850.cfm

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2018 0