CFID and CFTOKEN

[Sid Wing]

Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies are generated as "HTTPOnly" and "Secure"?  I've inherited multiple "legacy" CF apps that we are converting to Lucee - and our security/IA folks are hammering me all the time about these two insecure cookies...

[Andrew Dixon]

I think they already should be, see:

https://github.com/getrailo/railo/pull/314

also maybe take a look at this:

http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/

Kind regards,

Andrew

about.me - mso - Lucee Association Member

On 5 April 2016 at 15:03, Sid Wing <sid....@gmail.com> wrote:

Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies are generated as "HTTPOnly" and "Secure"?  I've inherited multiple "legacy" CF apps that we are converting to Lucee - and our security/IA folks are hammering me all the time about these two insecure cookies...

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/dfd936e2-2255-4b96-aa46-dd66d5d3838f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sid Wing]

They are marked HTTPOnly - but not "Secure"

[Sid Wing]

Basically - Adobe CF has attributes for its cfapplication tag (sessioncookie and authcookie) that allow you to configure the parameters for those:

Example:

<cfset cookiest = {httponly='true', timeout=createTimeSpan(0, 0, 0, 10), secure='true',domain=".domain.com"}> 
<cfset cookieast = {timeout=createTimeSpan(0, 0, 00, 10)}> 
<cfapplication name="sessionCookies_appcfm_allSetting" sessionmanagement="Yes" sessiontimeout="#createTimeSpan(0,0,03,0)#" scriptprotect="all" sessioncookie=#cookiest# authcookie=#cookieast#>

I am looking for something similar in Lucee

[Julian Halliwell]

Have you considered using J2EE sessions? The jsessionid cookie is
automatically set with the secure flag if the connection is over
https.

If that's not an option, then you could simply specify
setClientCookies=false and instead write the session id/token values
to your own cfid/cftoken cookies using <cfcookie>, giving you full
control. That's what we used to do before switching to J2EE sessions
(which we've found much simpler to deal with).

On 5 April 2016 at 15:47, Sid Wing <sid....@gmail.com> wrote:
> They are marked HTTPOnly - but not "Secure"
>
> On Tuesday, April 5, 2016 at 9:30:43 AM UTC-5, Andrew Dixon wrote:
>>
>> I think they already should be, see:

[Sid Wing]

Unfortunately - the switch to J2EE sessions is just not possible the way this app is coded.  I guess I'll give the "code your own" cookies a whirl - as that seems to be the only option that looks like it might work.

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---

You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/f-HofCD_UeI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAC_5Voq7E3nbJ5BS3JJhJ4jiPeUrENRUo7ikHDbF92y9H3omFw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Sid Wing
"We are dreamers, shapers, singers, and makers. We study the mysteries of laser and circuit, crystal and scanner, holographic demons and invocations of equations. These are the tools we employ, and we know many things." - Elric

[Andrew Dixon]

I've raised a incompatibility bug report for this:

https://luceeserver.atlassian.net/browse/LDEV-809

Go vote... :-)

Kind regards,

Andrew

about.me - mso - Lucee Association Member

You received this message because you are subscribed to the Google Groups "Lucee" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7uiB9j_P-iXrUTPONe8jpT%2B6GnvK_qd4ZV1SVxfQy1QUw%40mail.gmail.com.

[Sid Wing]

Voted

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijXHAsHyCUu0r8cxU7karABw6t9HPdU%3Dp%3D5Hx%3D3_VX9Zow%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Sid Wing]

So I used a "work around" (manually creating those cookies in the app) for CFID and CFToken - but there are 4 other CF_CLIENT_ cookies that also get set (when using clientmanagement) - and NONE of the are HTTPOnly or Secure...

So - does anyone have a similar workaround for those 4?  I know that the CF_CLIENT_%APPNAME% contains a URL encoded string of all the client variable name/value pairs (from the look of its contents).