Setting up HTTPOnly Session Cookies for ColdFusion
I recently updated my ColdFusion Security Scanner, hackmycf.com to check for the omission of HTTPOnly session cookies. It now provides a warning if the
jsessionid cookies do not set the HTTPOnly flag. We now also offer a subscription service which will scan your server automatically on a daily, weekly, monthly or quarterly basis.
ColdFusion 9 also introduced an attribute on the
cfcookie tag called
httponly which you can set to a boolean value. Prior to CF9 you can still create HTTPOnly cookies with ColdFusion but you have to use
cfheader instead of
cfcookie to write the cookies.
If running ColdFusion 10 or Above
ColdFusion 10 added a HTTPOnly setting to ColdFusion administrator under Server Settings » Memory Variables you can simply check the checkbox and you should be good.
You can also force this in your
Application.cfc by specifying:
this.sessioncookie.httponly = true;
If running ColdFusion 9.0.1
ColdFusion 9.0.1 update added support by a java system property called
coldfusion.sessioncookie.httponly you can turn this on by editing the jvm.config and adding the following to the
If you are running Standalone (not multi-server/j2ee mode) you can add this in the ColdFusion Administrator
If Running CF 9.0 or greater
If you have not upgraded to 9.0.1 yet, or would rather solve this issue in your code, here’s an example Application.cfc file you could use:
<cfcomponent> <cfset this.sessionmanagement = true> <cfset this.setclientcookies = false> <cffunction name="onSessionStart"> <cfcookie name="CFID" value="#session.cfid#" httponly="true"> <cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true"> </cffunction> <cfcomponent>
If Running CF 8 or Lower and using Application.cfc
<cfcomponent> <cfset this.sessionmanagement = true> <cfset this.setclientcookies = false> <cffunction name="onSessionStart"> <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly"> <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly"> </cffunction> <cfcomponent>
Make sure you have
setclientcookies = false specified.
If Using Application.cfm
If you are still using an
Application.cfm file, you can use the following:
<cfapplication setclientcookies="false" sessionmanagement="true" name="test"> <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken> <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly"> <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly"> </cfif>
If using J2EE Session Cookies (jsessionid)
If you are using CF9.0.1 or greater use the java system property described above.
If you are using CF9.0 or lower, then you can edit the jrun-web.xml file located in WEB-INF as described here to enabled HTTPOnly cookies.
Jason Dean has also come up with a way to do this in onSessionStart as well.
Consider Setting The Secure Flag
If you have SSL, also consider setting the
secure flag on your cookies. When the browser is given a cookie with the secure flag it only sends the cookie over a HTTPS connection.
Like this? Follow me ↯Tweet Follow @pfreitag
Setting up HTTPOnly Session Cookies for ColdFusion was first published on September 13, 2010.
If you like reading about httponly, cookies, session, cfid, cftoken, jsessionid, or security then you might also like:
- J2EE Sessions in CF10 Uses Secure Cookies
- Client Variable Cookie CFGLOBALS Includes Session Ids
- Firefox Now Supports HttpOnly Cookies
- SameSite Cookies with IIS
- Scope Injection in CFML
- Session Loss and Session Fixation in ColdFusion
- J2EE Session Cookies on ColdFusion / JRun
- CFLogin Security Considerations
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.