Re: httponly and cookie-secure
On Mon, May 19, 2014 at 9:45 AM, brad f wrote: > > Not sure what I am missing here. We are running Coldfusion 9.0.2 in a > clustered environment. I added the -Dcoldfusion.sessioncookie.httponly=true > to the jvm.config file. I restart the coldfusion instances. Run an > application scan and it still says the y are not httponly I think that setting only applies to CFID/CFTOKEN cookies, not the jsessionid cookie. You can try this trick: http://www.petefreitag.com/item/740.cfm or use your web server to append httponly to the cookies for you. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358677 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam to varchar raw problem
Previously the encrypt_column was going to a varchar, so it didn't need to do any of the RAW stuff. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358676 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam to varchar raw problem
I'll ask about this. I have to wait for the dba to come in. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358675 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam to varchar raw problem
Here is the code, simplified somewhat. This is the INSERT. The a_alien_last_name goes into a RAW (56bytes) field. It used to go into a VARCHAR. Following this is the ENCRYPT_COLUMN function in Oracle that is called in the INSERT. INSERT INTO F9089_ALIEN_INFO ( F9089_id, alien_last_name ) VALUES ( , Encrypt_Column(RPAD(UPPER(NVL(,' ')),56,' '),'CFASJAAAEPTSKEJPI')) encrypt_column in Oracle: CREATE OR REPLACE function encrypt_column (input_string in varchar2, key_string in varchar2) return raw is encrypted_string RAW(2048); begin if input_string is NULL then return NULL; else encrypted_string:=dbms_obfuscation_toolkit.DES3Encrypt(input => UTL_RAW.CAST_TO_RAW(input_string), key => UTL_RAW.CAST_TO_RAW(key_string)); return (encrypted_string); end if; end; ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358674 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam to varchar raw problem
On Tue, May 20, 2014 at 9:01 PM, daniel kessler wrote: > I am adding CFQueryparams to an INSERT. The item that I am sending over > to the oracle 11g db is empty text. The CFQueryParam is varchar because I > am sending it over as text. > From there, it is encrypted and a Cast_to_RAW is done on it to be put in a > RAW field. This is failing with an "invalid hex number" error. > I suspect you have a charset mismatch. What is the DB charset, CF charset and what is the setting for sending cfqueryparams as Unicode? Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358673 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
