On 19 May 2015, at 14:24, Sid Wing <sid....@gmail.com> wrote:
I have "inherited" an older Railo app - that still makes use of Application.cfm. It now needs to pass internal security scans - and the scans are gigging the app because CFID and CFTOKEN are not HttpOnly and are not Secure. Are there instructions somewhere on how to make this happen?
--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/rPlwTPybjI8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CB3BB145-AE00-435F-B130-5D58817C9785%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Mark! Thanks for that starting point - that info seems to be able to get me the ability to set CFID/CFToken as HttpOnly. However, I also need to be able to mark them as "Secure" - and pointers on that part?
<cfapplication name="myApp" setClientCookies="false" sessionManagement="true" .... />
<cfif not structKeyExists(cookie, "CFID")>
<cfcookie name="CFID" value="#session.CFID#" secure="true" httpOnly="true" expires="never" />
<cfcookie name="cftoken" value="#session.cftoken#" secure="true" httpOnly="true" expires="never" />
</cfif>
Have you tried these ? http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/Regards
Mark Drew
<cmd.png>