Pete FreitagClient Variable Cookie CFGLOBALS Includes Session Ids
July 14, 2011
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.
This means that from a security prospective you need to protect the CFGLOBALS cookie just like you would the CFIDE and CFTOKEN cookies by setting the HTTPOnly flag and possibly the secure flag.
Tweet
Permalink | Add Comment |
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
Related Entries
- Fixinator and Foundeo Security Bundle - May 14, 2019
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Maximum Security CFML - cfObjective Slides - May 17, 2011
Recent Entries
- Travis CI Error when installing oraclejdk8
- Tuning Tomcat IIS Connectors worker.properties and server.xml
- Push Tomcat logs with the AWS CloudWatch Logs Agent
- Sending nginx access logs to CloudWatch Logs Agent
- Setup CloudWatch Logs Agent on Ubuntu 18.04 LTS
- Tomcat Virtual Directory Howto
- Communications link failure MySQL JDBC with TLS
- Redirect www and non https in IIS using web.config
