J2EE Session Cookies on ColdFusion / JRun
As you are probably aware ColdFusion allows you to use the integrated J2EE sessions that are provided as part of the J2EE server (by enabling the Use J2EE session variables setting in ColdFusion Administrator). When you enable this setting, a cookie called JSESSIONID is used to store the session identifier.
One of the drawbacks to session cookies in ColdFusion is that there is little control over the cookies that are created, you typically need to set the cookies in your onSessionStart event method with cfcookie to add security settings like HttpOnly or secure.
J2EE typically provide a way to specify settings J2EE session cookie ( typically called JSESSIONID, you can usually change the name of this cookie if you want). In JRun 4, the settings can be added to the jrun-web.xml file located in the WEB-INF folder. Here's an example of of how you might add the secure flag to the JSESSIONID cookie:
<jrun-web-app>
<session-config>
<cookie-config>
<active>true</active>
<cookie-secure>true</cookie-secure>
<cookie-config>
</session-config>
</jrun-web-app>
It is important to understand that this change will affect all sites on your ColdFusion server, so it may not be the best approach for all server setups.
You can find the documentation for the JRun session-config tag and its children here: here.
So what about HttpOnly cookies? You have probably noticed that there is no setting for this in JRun, I did find a way to get it working by appending it to the path, for example:
<cookie-path>/;HttpOnly</cookie-path>
That's not documented anywhere, but it does work. If you are using any JEE server besides JRun (eg Tomcat has one, WebLogic, etc), there is probably a documented method for creating HttpOnly J2EE session cookies.
Tweet
add to del.icio.us
| Tags: jrun, coldfusion, sessions, jsessionid, j2ee, cookies
Related Entries
- CFLogin Security Considerations - December 10, 2009
- Installing multiple versions of CFMX on JRun - February 8, 2005
Trackbacks
Trackback Address: 740/5A9E772FD72062E2D61DF7B3F33DA25D
Comments
On 05/03/2010 at 1:40:39 AM EDT Paul E. wrote:
1
Does this work in CF8, 9, or both? I tried adding your httpOnly cookie-path tag to a CF8 config file, but could not get the CF service to restart.
On 05/26/2010 at 12:37:51 PM EDT Joe Bernard wrote:
2
Pete,
Just a small typo correction in the xml (missing a / in the end cookie-config tag).
<jrun-web-app> <session-config> <cookie-config> <active>true</active> <cookie-secure>true</cookie-secure> </cookie-config> </session-config> </jrun-web-app>
On 06/29/2010 at 6:27:21 PM EDT John Sieber wrote:
3
Found this blog post while researching how to set httpOnly by default with ColdFusion. It appears that using <cookie-path>/;HttpOnly</cookie-path> will solve the issue. Does it belong inside the <cookie-config> tags like so? <jrun-web-app> <session-config> <cookie-config> <cookie-path>/;HttpOnly</cookie-path> <cookie-config> </session-config> </jrun-web-app>
Post a Comment
Recent Entries
- Howto Install and Run the Android Emulator
- jQuery UI Autocomple IE 6 Select List z-Index Issues
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released
- Using AntiSamy with ColdFusion
- Writing Secure CFML Slides from CFUnited 2010
- Locking Down ColdFusion Presentation Slides
- Cross Domain Data Theft using CSS
- Using jQuery UI Autocomplete with Hidden ID's
Just a small typo correction in the xml (missing a / in the end cookie-config tag).
<jrun-web-app> <session-config> <cookie-config> <active>true</active> <cookie-secure>true</cookie-secure> </cookie-config> </session-config> </jrun-web-app>
