Client Variable Cookie CFGLOBALS Includes Session Ids

July 14, 2011
coldfusion

I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.

This means that from a security prospective you need to protect the CFGLOBALS cookie just like you would the CFIDE and CFTOKEN cookies by setting the HTTPOnly flag and possibly the secure flag.



Related Entries

This entry was:

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?