CFID and CFTOKEN

308 views
Skip to first unread message

Sid Wing

unread,
Apr 5, 2016, 10:03:28 AM4/5/16
to Lucee
Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies are generated as "HTTPOnly" and "Secure"?  I've inherited multiple "legacy" CF apps that we are converting to Lucee - and our security/IA folks are hammering me all the time about these two insecure cookies...

Andrew Dixon

unread,
Apr 5, 2016, 10:30:43 AM4/5/16
to lu...@googlegroups.com

Kind regards,

Andrew

On 5 April 2016 at 15:03, Sid Wing <sid....@gmail.com> wrote:
Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies are generated as "HTTPOnly" and "Secure"?  I've inherited multiple "legacy" CF apps that we are converting to Lucee - and our security/IA folks are hammering me all the time about these two insecure cookies...

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/dfd936e2-2255-4b96-aa46-dd66d5d3838f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sid Wing

unread,
Apr 5, 2016, 10:47:56 AM4/5/16
to Lucee
They are marked HTTPOnly - but not "Secure"

Sid Wing

unread,
Apr 5, 2016, 11:11:10 AM4/5/16
to Lucee
Basically - Adobe CF has attributes for its cfapplication tag (sessioncookie and authcookie) that allow you to configure the parameters for those:

Example:

<cfset cookiest = {httponly='true', timeout=createTimeSpan(0, 0, 0, 10), secure='true',domain=".domain.com"}> 
<cfset cookieast = {timeout=createTimeSpan(0, 0, 00, 10)}> 
<cfapplication name="sessionCookies_appcfm_allSetting" sessionmanagement="Yes" sessiontimeout="#createTimeSpan(0,0,03,0)#" scriptprotect="all" sessioncookie=#cookiest# authcookie=#cookieast#>
I am looking for something similar in Lucee

Julian Halliwell

unread,
Apr 5, 2016, 3:02:01 PM4/5/16
to lu...@googlegroups.com
Have you considered using J2EE sessions? The jsessionid cookie is
automatically set with the secure flag if the connection is over
https.

If that's not an option, then you could simply specify
setClientCookies=false and instead write the session id/token values
to your own cfid/cftoken cookies using <cfcookie>, giving you full
control. That's what we used to do before switching to J2EE sessions
(which we've found much simpler to deal with).

On 5 April 2016 at 15:47, Sid Wing <sid....@gmail.com> wrote:
> They are marked HTTPOnly - but not "Secure"
>
> On Tuesday, April 5, 2016 at 9:30:43 AM UTC-5, Andrew Dixon wrote:
>>
>> I think they already should be, see:

Sid Wing

unread,
Apr 5, 2016, 3:05:23 PM4/5/16
to Lucee
Unfortunately - the switch to J2EE sessions is just not possible the way this app is coded.  I guess I'll give the "code your own" cookies a whirl - as that seems to be the only option that looks like it might work.

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/f-HofCD_UeI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Sid Wing
"We are dreamers, shapers, singers, and makers. We study the mysteries of laser and circuit, crystal and scanner, holographic demons and invocations of equations. These are the tools we employ, and we know many things." - Elric

Andrew Dixon

unread,
Apr 5, 2016, 3:35:09 PM4/5/16
to lu...@googlegroups.com
I've raised a incompatibility bug report for this:


Go vote... :-)

Kind regards,

Andrew

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

Sid Wing

unread,
Apr 5, 2016, 3:44:48 PM4/5/16
to Lucee

Sid Wing

unread,
Apr 8, 2016, 11:06:15 AM4/8/16
to Lucee
So I used a "work around" (manually creating those cookies in the app) for CFID and CFToken - but there are 4 other CF_CLIENT_ cookies that also get set (when using clientmanagement) - and NONE of the are HTTPOnly or Secure...

So - does anyone have a similar workaround for those 4?  I know that the CF_CLIENT_%APPNAME% contains a URL encoded string of all the client variable name/value pairs (from the look of its contents).
Reply all
Reply to author
Forward
0 new messages