In January this year, I wrote a blog post to advise people how to make the default installation of a Railo 4 server more secure. One of the elements was to make sure you’re using HttpOnly marked cookies for your session cookies (depending on your setup that might be JSESSIONID or CFID/CFTOKEN).
In the blog post, I’ve described how this can be achieved on a Tomcat context level if you’re using J2EE sessions and JSESSIONID, but there was no solution for using the legacy CFID/CFTOKEN session cookies stemming from the early days of Adobe ColdFusion.
In the meantime, there’s been some activity:
a) Since Railo 4.1, you can create HttpOnly-marked cookies through CFCOOKIE. Even though I haven’t tried it out yet, it’s been clearly documented in the (now closed) ticket RAILO-1339
b) There’s a new ticket (RAILO-2773) to make sure that the client/session cookies of your Railo installation are by default going to be marked HttpOnly. In the comments to Railo-1339, we discussed the potential implications in regards backwards compatibility, but there’s really no reason whatsoever for Javascript to access CFID/CFTOKEN — not even in old legacy apps. Go and vote for RAILO-2773 please! 🙂
In addition to that, Chris Blackwell has suggested a workaround on the Railo mailinglist:
Set the following in Application.cfc:
this.setclientcookies = false;
And then put this in your onRequestStart function:
array('CFID','CFTOKEN','JSESSIONID').each(function(c) {
if(structKeyExists(session, c)) {
cookie name=c value="#session[ c ]#" httponly="true";
}
});
Interesting topic and you’ve got an opinion on it you’d like to share? Just join the discussion thread!
I think that you have a typo in the example code. value should be Session[c][/c] and not Session1.
also, from Railo 4.1.2.005 forward CFID and CFTOKEN cookies will be sent as HTTPOnly cookies.
Comments on this entry are closed.