An update on HTTPOnly marked cookies in Railo 4.1

by kai on 30/11/2013

In January this year, I wrote a blog post to advise people how to make the default installation of a Railo 4 server more secure. One of the elements was to make sure you’re using HttpOnly marked cookies for your session cookies (depending on your setup that might be JSESSIONID or CFID/CFTOKEN).

In the blog post, I’ve described how this can be achieved on a Tomcat context level if you’re using J2EE sessions and JSESSIONID, but there was no solution for using the legacy CFID/CFTOKEN session cookies stemming from the early days of Adobe ColdFusion.

In the meantime, there’s been some activity:

a) Since Railo 4.1, you can create HttpOnly-marked cookies through CFCOOKIE. Even though I haven’t tried it out yet, it’s been clearly documented in the (now closed) ticket RAILO-1339

b) There’s a new ticket (RAILO-2773) to make sure that the client/session cookies of your Railo installation are by default going to be marked HttpOnly. In the comments to Railo-1339, we discussed the potential implications in regards backwards compatibility, but there’s really no reason whatsoever for Javascript to access CFID/CFTOKEN — not even in old legacy apps. Go and vote for RAILO-2773 please! 🙂

In addition to that, Chris Blackwell has suggested a workaround on the Railo mailinglist:

Set the following in Application.cfc:

this.setclientcookies = false;

And then put this in your onRequestStart function:

array('CFID','CFTOKEN','JSESSIONID').each(function(c) {
  if(structKeyExists(session, c)) {
    cookie name=c value="#session[ c ]#" httponly="true";

Interesting topic and you’ve got an opinion on it you’d like to share? Just join the discussion thread!

Igal December 2, 2013 at 10:02 am

I think that you have a typo in the example code. value should be Session[c][/c] and not Session1.

also, from Railo forward CFID and CFTOKEN cookies will be sent as HTTPOnly cookies.

Comments on this entry are closed.

Previous post:

Next post: