Forcing HttpOnly cookies with JRun/ColdFusion

Question

We need to ensure that all cookies on a CF7 site are set as HttpOnly.

We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.

Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.

Any suggestions?

Related Question: Setting Secure flag for HTTPS cookies.

score 3 · Answer 1 · edited Mar 13 '11 at 18:00

From: http://www.petefreitag.com/item/764.cfm

Running CF 8 or Lower and using Application.cfc

<cfcomponent>
  <cfset this.sessionmanagement = true>
  <cfset this.setclientcookies = false>
  <cffunction name="onSessionStart">
      <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
      <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cffunction>
<cfcomponent>

Make sure you have setclientcookies = false specified.

If Using Application.cfm

If you are still using an Application.cfm file, you can use the following:

<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
   <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
   <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>

score 3 · Answer 2 · answered Aug 03 '11 at 06:15

First, a warm welcome to all PCI DSS refugees! Appscan, Webinspect, Hailstorm and NTOSpider fugitives are also invited. Take a seat right over here, I have cake for you:

While too late for Peter, it is in fact possible to have JRun generate HTTPOnly (and secure) cookies from the start as he asked. Look for the jrun-web.xml file. It will probably be in a directory like

C:\JRun4\servers\servername\cfusion-ear\cfusion-war\WEB-INF\.

You have to add the following to the cookie-config section:

<cookie-config>
    <cookie-path>/;HttpOnly</cookie-path>
</cookie-config>

If your site is HTTPS, you should also enable the secure cookie option. But be careful, its server wide, not application specific. So it may not be suitable for your shared environment:

<cookie-config>
    <cookie-secure>true</cookie-secure>
    <cookie-path>/;HttpOnly</cookie-path>
</cookie-config>

If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly

I've tested this on ColdFusion MX7 and it works as expected. Dodged Appscan I did.

score 0 · Answer 3 · answered Jun 29 '09 at 16:51

0

The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.

Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?

answered Jun 29 '09 at 16:51

Adam Tuttle

19,505
17
80
113

We're unfortunately going via IIS 5, so can't do URL rewriting without expensive, buggy, third-party plugins. Unless there is some rewriting that can be done at the JRun level? – Peter Boughton Jun 30 '09 at 12:47
I'm not aware of any JRun-level url rewriters. Running on IIS 5 seems like an odd requirement... but I can certainly understand that sometimes you have to work with what you've got. Good luck! :) – Adam Tuttle Jun 30 '09 at 13:20

Forcing HttpOnly cookies with JRun/ColdFusion

3 Answers3

Linked