Pete FreitagClient Variable Cookie CFGLOBALS Includes Session Ids
July 14, 2011
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.
This means that from a security prospective you need to protect the CFGLOBALS cookie just like you would the CFIDE and CFTOKEN cookies by setting the HTTPOnly flag and possibly the secure flag.
Tweet
Permalink | Add Comment |
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
Related Entries
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Maximum Security CFML - cfObjective Slides - May 17, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
Recent Entries
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
