RE: Secure attribute on CF Session Cookies
Thanks. That's helpful. Appreciate it. Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct  125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788 T 631.231.6600 X 119   F 631.434.7022  http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Friday, December 06, 2013 4:09 PM To: cf-talk Subject: Re: Secure attribute on CF Session Cookies On Fri, Dec 6, 2013 at 2:52 PM, Wil Genovese wrote: > > Iè´e seen people request this before due to a PCI security audit. > Usually the best solution, depending on the code, is to switch to J2EE > session variables. Instead of physical cookies the session cookies are > true session cookies in browser memory. This would eliminate the secure > cookies issue. > I think? > You can create a browser session cookie for CFID/CFTOKEN cookies as well, you just have to write the cookies manually. But what Robert was asking about was the secure flag on the cookie, which indicates that the user agent should only send the cookie over a secure connection (eg HTTPS), again you have to do this by writing the cookies manually in CF9 and lower, here's an example showing how to do this: http://www.petefreitag.com/item/764.cfm For CF10 it is easy you just specify in your Application.cfc this.sessioncookie.secure = true Also with CF10 (or Tomcat rather) it will automatically add the secure flag to your JSESSIONID cookie on HTTPS requests, this causes your HTTP and HTTPS requests to be on different sessions, which for security is a good thing, but can lead to issues if you have coded your apps to expect otherwise. More info on that here: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357317 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
On Fri, Dec 6, 2013 at 2:52 PM, Wil Genovese wrote: > > Iè´e seen people request this before due to a PCI security audit. Usually > the best solution, depending on the code, is to switch to J2EE session > variables. Instead of physical cookies the session cookies are true session > cookies in browser memory. This would eliminate the secure cookies issue. > I think? > You can create a browser session cookie for CFID/CFTOKEN cookies as well, you just have to write the cookies manually. But what Robert was asking about was the secure flag on the cookie, which indicates that the user agent should only send the cookie over a secure connection (eg HTTPS), again you have to do this by writing the cookies manually in CF9 and lower, here's an example showing how to do this: http://www.petefreitag.com/item/764.cfm For CF10 it is easy you just specify in your Application.cfc this.sessioncookie.secure = true Also with CF10 (or Tomcat rather) it will automatically add the secure flag to your JSESSIONID cookie on HTTPS requests, this causes your HTTP and HTTPS requests to be on different sessions, which for security is a good thing, but can lead to issues if you have coded your apps to expect otherwise. More info on that here: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357316 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: file sharing recommendations
if you want file sharing and only file sharing and the best business solution out there, then dropbox.com is probably the best bet. However if you want more collaboration and sharing and integration with your email, then I recommend Google Drive which is part of Google Apps. Both of these can be accessed via mobile devices as well,so are very flexible. On Fri, Dec 6, 2013 at 7:06 PM, Matt Williams wrote: > > I have been tasked with recommending some sort of file sharing solution for > our office. Basic requirements: > 1) File sharing between less than 10 employees. > B) Access to these files in and out of office. > 3) Off-site backup > D) Possibly allow clients to upload files to specific, segregated locations > > We had been using a box with Windows Server Essentials with FileZilla FTP > server, but that died. We currently just have a workstation with sharing > set up. > > What are you using for these types of needs? > Would something like DropBox or Google Drive make sense? > Or is it safer in the long run to stick with a box we manage in house? > > Thanks for the input. > > -Matt > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357315 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
Ive seen people request this before due to a PCI security audit. Usually the best solution, depending on the code, is to switch to J2EE session variables. Instead of physical cookies the session cookies are true session cookies in browser memory. This would eliminate the secure cookies issue. I think? Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Dec 6, 2013, at 1:29 PM, Robert Harrison wrote: > > Is there any way to ensure the CFTOKEN and CFID cookies include the "secure" > attribute when sending over https? > > I see no way to do this on CF9. > > Thanks > > Robert Harrison > Director of Interactive Services > > Austin & Williams > Advertising I Branding I Digital I Direct > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 > T 631.231.6600 X 119 F 631.434.7022 > http://www.austin-williams.com > > Blog: http://www.austin-williams.com/blog > Twitter: http://www.twitter.com/austi > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357314 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
> Is there any way to ensure the CFTOKEN and CFID cookies include the "secure" > attribute when sending over https? > > I see no way to do this on CF9. You need to disable CF's automatic setting of those cookies, then set them yourself with CFCOOKIE. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357313 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Secure attribute on CF Session Cookies
Is there any way to ensure the CFTOKEN and CFID cookies include the "secure" attribute when sending over https? I see no way to do this on CF9. Thanks Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357312 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: file sharing recommendations
We discussed something similar here: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:64336 Eventually, we ended up using one of our Rackspace servers, installing VPN on all staff machines, and mapping the same drive letter on all staff machines to \\RackspaceServer\OurShare On Fri, Dec 6, 2013 at 2:06 PM, Matt Williams wrote: > > I have been tasked with recommending some sort of file sharing solution for > our office. Basic requirements: > 1) File sharing between less than 10 employees. > B) Access to these files in and out of office. > 3) Off-site backup > D) Possibly allow clients to upload files to specific, segregated locations > > We had been using a box with Windows Server Essentials with FileZilla FTP > server, but that died. We currently just have a workstation with sharing > set up. > > What are you using for these types of needs? > Would something like DropBox or Google Drive make sense? > Or is it safer in the long run to stick with a box we manage in house? > > Thanks for the input. > > -Matt > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357311 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
SOT: file sharing recommendations
I have been tasked with recommending some sort of file sharing solution for our office. Basic requirements: 1) File sharing between less than 10 employees. B) Access to these files in and out of office. 3) Off-site backup D) Possibly allow clients to upload files to specific, segregated locations We had been using a box with Windows Server Essentials with FileZilla FTP server, but that died. We currently just have a workstation with sharing set up. What are you using for these types of needs? Would something like DropBox or Google Drive make sense? Or is it safer in the long run to stick with a box we manage in house? Thanks for the input. -Matt ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357310 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
