views:

696

answers:

2

We need to ensure that all cookies on a CF7 site are set as HttpOnly.

We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.

Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.

Any suggestions?


Related Question: Setting Secure flag for HTTPS cookies.

+1  A: 

Good post all about it here: http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH

DanSingerman
I had an answer ready with the same reference, but that solution relies on modifying an existing cookie. Peter was asking whether you could create a jsessionid HttpOnly cookie from scratch
Vincent Buck
We've tried something Jason Dean suggested before, but I think this is a new post. The key difference is that it is expiring the existing cookie and creating a new one all on the first request?
Peter Boughton
(What we currently have involves a cflocation in onSessionStart, which works in some cases, but causes assorted other nightmares.)
Peter Boughton
Vincent, the problem with a normal modification of the existing cookie is that the first request isn't secure (and our security scanning software picks this up and fails us) - the goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.
Peter Boughton
A: 

The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.

Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?

Adam Tuttle
We're unfortunately going via IIS 5, so can't do URL rewriting without expensive, buggy, third-party plugins. Unless there is some rewriting that can be done at the JRun level?
Peter Boughton
I'm not aware of any JRun-level url rewriters. Running on IIS 5 seems like an odd requirement... but I can certainly understand that sometimes you have to work with what you've got. Good luck! :)
Adam Tuttle