Pete FreitagClient Variable Cookie CFGLOBALS Includes Session Ids
July 14, 2011
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.
This means that from a security prospective you need to protect the CFGLOBALS cookie just like you would the CFIDE and CFTOKEN cookies by setting the HTTPOnly flag and possibly the secure flag.
Tweet
Permalink | Add Comment |
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
add to del.icio.us
| Tags: coldfusion, security, cfml, client variables, cookies, httponly
Related Entries
- Fixinator and Foundeo Security Bundle - May 14, 2019
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Maximum Security CFML - cfObjective Slides - May 17, 2011
Recent Entries
- Redirect www and non https in IIS using web.config
- Not authorized to perform: ssm:GetParameters
- What is the difference between ASCII Chr(10) and Chr(13)
- Fixinator and Foundeo Security Bundle
- Running CFML on AWS Lambda with FuseLess Slides
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
