Client Variable Cookie CFGLOBALS Includes Session Ids
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE
and CFTOKEN
) are included in the CFGLOBALS
cookie.
This means that from a security prospective you need to protect the CFGLOBALS
cookie just like you would the CFIDE
and CFTOKEN
cookies by setting the HTTPOnly
flag and possibly the secure
flag.
Like this? Follow me ↯
Tweet Follow @pfreitagClient Variable Cookie CFGLOBALS Includes Session Ids was first published on July 14, 2011.
If you like reading about coldfusion, security, cfml, client variables, cookies, or httponly then you might also like:
- Fixinator and Foundeo Security Bundle
- CFSummit 2016 Slides
- Scope Injection in CFML
- J2EE Sessions in CF10 Uses Secure Cookies
- Maximum Security CFML - cfObjective Slides
- Setting up HTTPOnly Session Cookies for ColdFusion
- Writing Secure CFML Slides from CFUnited 2010
- 10 Ideas to Improve Security in ColdFusion 10
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.