cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Could not disable HttpOnly flag in browser via CF

Abdul L Koyappayil
Explorer ,
Jan 09, 2020 Jan 09, 2020

Copy link to clipboard

Copied

In our application, we use J2EE session variables for session management. We recently migrated from ColdFusion 9 to ColdFusion 2018. After migration, the logout functionality is not working. What we found is that, in ColdFusion 2018, the cookie JSESSIONID is not getting cleared from the browser because the HttpOnly flag has been set to true in the browser.

 

We tried to disable this HttpOnly flag in the browser in following ways,

  1. By disabling HttpOnly flag and Global Script Protection in CF admin.
  2. By modifying the jvm.config via CF admin by adding "-Dcoldfusion.sessioncookie.httponly=false".

 

But this way the HttpOnly flag is still showing as enabled in the browser. Because of this, the client-side script is not able to clear the cookie JSESSIONID and hence logout functionality is not working.

 

Is there any way, in CF2018, to disable the HttpOnly flag in the browser for the cookie JSESSIONID?.

 

Note:

  1. In CF9, the HttpOnly flag is disabled in the browser for the cookie JSESSIONID.
  2. We use the CF2018 enterprise edition (Trial Version, not yet expired).
  3. Restarted CF services after updating the settings in CF admin.

 

 

TOPICS
Security , Server administration

Views

718

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
Jan 10, 2020 Jan 10, 2020

Copy link to clipboard

Copied

Abdul, can you clarify if you are testing things from a browser that has none of the cookies (where all those for your site have been deleted/don't exist), as a starting point? What happens when you do?

 

That said, since you are talking about the cf jsessionid cookies, those by default have no expiration set and should be cleared by simply closing the browser (and ensuring all instances of it are closed).

 

Finally, this challenge of yours is a situation where using your browser's Dev tools would be valuable, to see (and optionally delete) the cookies existing on the browser, as well as to see those being set by cf (being sent down from cf as response headers).

 

This would also show things like the httponly and other attributes of the cookies sent down or existing on the browser. If you may not be familiar with such tools, Google should help you find how to use them in your browser, as all support them. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Jan 10, 2020 Jan 10, 2020

Copy link to clipboard

Copied

I'm pretty sure you can't control the behavior of the JSESSIONID cookie in CF. That's issued by Tomcat really, not by CF, and has a bunch of security rules attached to it. You might be able to modify that behavior in Tomcat's configuration, but it wouldn't be recommended for security reasons. I don't see why you'd want to disable HttpOnly anyway.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
EddieLotter
Advocate ,
Jan 10, 2020 Jan 10, 2020

Copy link to clipboard

Copied

LATEST
In Response To Dave Watts

I strongly agree with Dave here. The JSESSIONID cookie is intended for CF to manage sessions. You should not be messing with it.

The mechanism you use to determine whether or not a user is logged into your application should be completely independent of the JSESSIONID cookie.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices