SameSite Cookies with IIS

coldfusion java web SameSite cookies are a great technique for mitigating Cross Site Request Forgery attacks. The only downside is that not all browsers support them yet (ahem... looking at you IE).


This entry was:

Client Variable Cookie CFGLOBALS Includes Session Ids

coldfusion I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.


This entry was:

Setting up HTTPOnly Session Cookies for ColdFusion

coldfusion Internet Explorer pioneered a great security feature for cookies called HTTPOnly, when this flag is set the browser does not allow JavaScript to access the cookie. Now that all modern browsers support this flag it can reduce the risk of session hijacking due to cross site scripting.


This entry was:

J2EE Session Cookies on ColdFusion / JRun

coldfusion java As you are probably aware ColdFusion allows you to use the integrated J2EE sessions that are provided as part of the J2EE server (by enabling the Use J2EE session variables setting in ColdFusion Administrator).


This entry was:

CFLogin Security Considerations

coldfusion If you use the cflogin tag to manage authentication you should consider setting loginstorage="session" in your Application.cfc or Application.cfm file for better security.


This entry was:

Firefox Now Supports HttpOnly Cookies

web You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.

Firefox 2.0.0.5, which was released just the other day, now supports it.


This entry was:

Objection - Firefox Extension for removing Local Shared Objects

web Greg Yardley has created a firefox plugin called Objection in response to my, and other blog posts about the privacy concerns of Local Shared Objects, or Flash Cookies.

The plugin adds a clear button for Local Shared Objects to the privacy options in Firefox.


This entry was:

Flash Cookies - Local Shared Objects

web There is lots of buzz going on over marketers using Flash's Local Shared Objects to store client side information, instead of traditional http cookies. This is a response to a report from Jupiter research stating that 38% of web users delete cookies on a regular basis.


This entry was:

foundeo


did you hack my cf?