tags:

views:

696

answers:

2
+3  Q: 

Forcing HttpOnly cookies with JRun/ColdFusion

We need to ensure that all cookies on a CF7 site are set as HttpOnly.

We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.

Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.

Any suggestions?


Related Question: Setting Secure flag for HTTPS cookies.

+1  A: 

Good post all about it here: http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH

DanSingerman  2009-06-26 11:05:51
I had an answer ready with the same reference, but that solution relies on modifying an existing cookie. Peter was asking whether you could create a jsessionid HttpOnly cookie from scratch
Vincent Buck  2009-06-26 11:13:37
We've tried something Jason Dean suggested before, but I think this is a new post. The key difference is that it is expiring the existing cookie and creating a new one all on the first request?
Peter Boughton  2009-06-26 11:18:44
(What we currently have involves a cflocation in onSessionStart, which works in some cases, but causes assorted other nightmares.)
Peter Boughton  2009-06-26 11:19:15
Vincent, the problem with a normal modification of the existing cookie is that the first request isn't secure (and our security scanning software picks this up and fails us) - the goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.
Peter Boughton  2009-06-26 11:22:41
A: 

The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.

Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?

Adam Tuttle  2009-06-29 16:51:32
We're unfortunately going via IIS 5, so can't do URL rewriting without expensive, buggy, third-party plugins. Unless there is some rewriting that can be done at the JRun level?
Peter Boughton  2009-06-30 12:47:06
I'm not aware of any JRun-level url rewriters. Running on IIS 5 seems like an odd requirement... but I can certainly understand that sometimes you have to work with what you've got. Good luck! :)
Adam Tuttle  2009-06-30 13:20:50

related questions

Restarting ColdFusion mail queue
ColdFusion mail queue stops processing
in ColdFusion 8, can you declare a function as private using cfscript?
ColdFusion Template Request count optimization
How do I speed up data retrieval from .NET AD within ColdFusion
How to call a function dynamically that is part of an instantiated cfc, without using Evaluate()?
Using Google Maps in Coldfusion
We're manually mapping our internal data elements to external vendors' xml schema. there's gotta be a better way...
How do I turn a ColdFusion page into a PDF download?
Importing Access data into SQL Server using ColdFusion
jquery: JFrame plugin fails in IE 7
How do I programatically sanitise coldfusion cfquery parameters.
ColdFusion: Is it safe to leave out the variables keyword in a CFC?
How should you go about learning ASP.NET after life as a ColdFusion developer?
BOM not expected in CF but sent by IIS/SP
cfqueryparam with like operator in coldfusion
Is it possible to find code coverage in ColdFusion?
How can you test to see if two arrays are the same using CFML?
Why is my PDF footer text invisible?
Coldfusion - When to use the "request" scope?
How do I convert images between CMYK and RGB in ColdFusion (java)?
How do I use NTLM authentication with Active Directory
Dynamic Alphabetical Navigation
Wrapping lists into columns
How to get started "writing" a code coverage tool?