Help with CFID and CFTOKEN
239 views
Skip to first unread message
Sid Wing
May 19, 2015, 9:24:30 AM5/19/15
to lu...@googlegroups.com
I have "inherited" an older Railo app - that still makes use of Application.cfm. It now needs to pass internal security scans - and the scans are gigging the app because CFID and CFTOKEN are not HttpOnly and are not Secure. Are there instructions somewhere on how to make this happen?
Mark Drew
May 19, 2015, 9:45:00 AM5/19/15
to lu...@googlegroups.com
Have you tried these ? http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/
Regards
On 19 May 2015, at 14:24, Sid Wing <sid....@gmail.com> wrote:
I have "inherited" an older Railo app - that still makes use of Application.cfm. It now needs to pass internal security scans - and the scans are gigging the app because CFID and CFTOKEN are not HttpOnly and are not Secure. Are there instructions somewhere on how to make this happen?
--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sid Wing
May 19, 2015, 9:55:34 AM5/19/15
to lu...@googlegroups.com
Mark! Thanks for that starting point - that info seems to be able to get me the ability to set CFID/CFToken as HttpOnly. However, I also need to be able to mark them as "Secure" - and pointers on that part?
--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/rPlwTPybjI8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CB3BB145-AE00-435F-B130-5D58817C9785%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Sid Wing
"We are dreamers, shapers, singers, and makers. We study the mysteries of laser and circuit, crystal and scanner, holographic demons and invocations of equations. These are the tools we employ, and we know many things." - Elric
"We are dreamers, shapers, singers, and makers. We study the mysteries of laser and circuit, crystal and scanner, holographic demons and invocations of equations. These are the tools we employ, and we know many things." - Elric
Pete Freitag
May 19, 2015, 10:38:21 AM5/19/15
to lu...@googlegroups.com
On Tue, May 19, 2015 at 9:55 AM, Sid Wing <sid....@gmail.com> wrote:
Mark! Thanks for that starting point - that info seems to be able to get me the ability to set CFID/CFToken as HttpOnly. However, I also need to be able to mark them as "Secure" - and pointers on that part?
You should be able to just add secure="true" after httponly="true".
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
--
Pete Freitaghttps://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
Paul Klinkenberg
May 19, 2015, 10:38:32 AM5/19/15
to lu...@googlegroups.com
Hi Sid,
You can always set the cookies yourself, instead of having Railo do it.
In Application.cfm:
<cfapplication name="myApp" setClientCookies="false" sessionManagement="true" .... />
<cfif not structKeyExists(cookie, "CFID")>
<cfcookie name="CFID" value="#session.CFID#" secure="true" httpOnly="true" expires="never" />
<cfcookie name="cftoken" value="#session.cftoken#" secure="true" httpOnly="true" expires="never" />
</cfif>
By the way, setting "secure=true" on cookies means that they are only available when the connection is secure (https/ssl).
You should also check if the current connection is secure (port 443 / cgi.https=on / etc.).
Kind regards,
Paul Klinkenberg
Op 19 mei 2015, om 15:55 heeft Sid Wing <sid....@gmail.com> het volgende geschreven:
Mark! Thanks for that starting point - that info seems to be able to get me the ability to set CFID/CFToken as HttpOnly. However, I also need to be able to mark them as "Secure" - and pointers on that part?
On Tue, May 19, 2015 at 8:44 AM, Mark Drew <mark...@gmail.com> wrote:
Have you tried these ? http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/Regards
Mark Drew
<cmd.png>
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7u4b2wpk-1v%3DT3b2CoCi5SqNo5PWZtcYkdo8%2BXBCJO%2BkA%40mail.gmail.com.
Sid Wing
May 19, 2015, 10:45:43 AM5/19/15
to lu...@googlegroups.com
Paul - That should be PERFECT for what I am doing with this app (until I can refactor it). Much thanks!
Reply all
Reply to author
Forward
0 new messages