> The current application that I'm working on was required to > have a security and vulnerability test from an outside > consulting firm. The only issue that they had was that we > needed to harden session cookies and offered to two solutions below. > > 1.They recommended that the HTTPONLY (stops client side > scripts from reading the cookies) flag be set on all cookies > that hold authentication or session management. Coldfusion > does not currently provide a way to set cftoken and cfid as > httponly with the cfcookie tag. > > I was wondering if a something like this would work, set in > the application file? > > <cfheader name="Set-Cookie" value="CFID=#Session.CFID#;HttpOnly"> > > <cfheader name="Set-Cookie" > value="CFTOKEN=#Session.CFTOKEN#;HttpOnly">
Yes, that basic approach should work. However, not all browsers support HttpOnly cookies, so I really wouldn't recommend that unless you're sure it'll work with your users. https://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly Of course, ideally you should also switch to using JSESSIONID instead of CFID and CFTOKEN, or at least ensure that you're using a UUID for CFTOKEN. > 2. They also want all cookies to be set through ssl. As I > understand the only way to set cookies as secure="yes" is to > have the request go through https, but we do not want to have > to run all are pages through ssl. Does anyone know of a way > to set the CFID and CFTOKEN cookies in a secure mode? The only way to set your cookies in a secure mode is to use SSL and set SECURE="YES". Otherwise, the cookies will be available when the user visits non-SSL pages. The only remediation step you can take here is to use different sessions for secure and non-secure pages, or just use SSL for everything. I'd recommend the latter, if you have the hardware to handle it. http://fscked.org/blog/fully-automated-active-https-cookie-hijacking Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312906 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4