Client Variable Cookie CFGLOBALS Includes Session Ids
July 14, 2011
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.
This means that from a security prospective you need to protect the CFGLOBALS cookie just like you would the CFIDE and CFTOKEN cookies by setting the HTTPOnly flag and possibly the secure flag.
Tweet
Permalink | Add Comment |
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
Related Entries
- Maximum Security CFML - cfObjective Slides - May 17, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
- Writing Secure CFML Slides from CFUnited 2010 - August 5, 2010
- 10 Ideas to Improve Security in ColdFusion 10 - June 18, 2010
- Hands on ColdFusion Security Training - February 4, 2010
Trackbacks
Trackback Address: 792/F60DD10DD137AA5D8B2CB58E5C213083
Post a Comment
Spell Checker by Foundeo
Recent Entries
- Nginx redirect www to non www domain
- HashDOS and ColdFusion
- HackMyCF Updated for APSB11-29 Security Hotfix
- Adobe eSeminar on FuseGuard
- Determining Which Cumulative Hotfixes are Installed on ColdFusion
- Adding Two Factor Authentication to ColdFusion Administrator
- ColdFusion Developer Week at Adobe.com
- Bug Loading Scripts for CFFileUpload and CFMediaPlayer
