Pete FreitagClient Variable Cookie CFGLOBALS Includes Session Ids
July 14, 2011
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.
This means that from a security prospective you need to protect the CFGLOBALS cookie just like you would the CFIDE and CFTOKEN cookies by setting the HTTPOnly flag and possibly the secure flag.
Like this? Follow me ↯
Tweet Follow @pfreitagYou might also like:
- Fixinator and Foundeo Security Bundle - May 14, 2019
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Maximum Security CFML - cfObjective Slides - May 17, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
- Writing Secure CFML Slides from CFUnited 2010 - August 5, 2010
- 10 Ideas to Improve Security in ColdFusion 10 - June 18, 2010
