Forcing HttpOnly cookies with JRun/ColdFusion

♀尐吖头ヾ 提交于 2019-12-04 06:03:41
Salazar Mubarak

From: http://www.petefreitag.com/item/764.cfm

Running CF 8 or Lower and using Application.cfc

<cfcomponent>
  <cfset this.sessionmanagement = true>
  <cfset this.setclientcookies = false>
  <cffunction name="onSessionStart">
      <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
      <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cffunction>
<cfcomponent>

Make sure you have setclientcookies = false specified.

If Using Application.cfm

If you are still using an Application.cfm file, you can use the following:

<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
   <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
   <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>

First, a warm welcome to all PCI DSS refugees! Appscan, Webinspect, Hailstorm and NTOSpider fugitives are also invited. Take a seat right over here, I have cake for you:

While too late for Peter, it is in fact possible to have JRun generate HTTPOnly (and secure) cookies from the start as he asked. Look for the jrun-web.xml file. It will probably be in a directory like

C:\JRun4\servers\servername\cfusion-ear\cfusion-war\WEB-INF\.

You have to add the following to the cookie-config section:

<cookie-config>
    <cookie-path>/;HttpOnly</cookie-path>
</cookie-config>

If your site is HTTPS, you should also enable the secure cookie option. But be careful, its server wide, not application specific. So it may not be suitable for your shared environment:

<cookie-config>
    <cookie-secure>true</cookie-secure>
    <cookie-path>/;HttpOnly</cookie-path>
</cookie-config>

If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly

I've tested this on ColdFusion MX7 and it works as expected. Dodged Appscan I did.

The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.

Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!