Client Variable Cookie CFGLOBALS Includes Session Ids
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE
and CFTOKEN
) are included in the CFGLOBALS
cookie.
This means that from a security prospective you need to protect the CFGLOBALS
cookie just like you would the CFIDE
and CFTOKEN
cookies by setting the HTTPOnly
flag and possibly the secure
flag.
Tweet
Permalink | Add Comment |
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly

Related Entries
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Maximum Security CFML - cfObjective Slides - May 17, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
Post a Comment
Recent Entries
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
- How to Resolve Java HTTPS Exceptions