Wednesday, July 28, 2010

ColdFusion Session cookies & HttpOnly

With ColdFusion 901  release now ColdFusion Session Cookies can be marked HttpOnly.  This reduces the chance of session information being compromised on Cross Site Scripting (XSS) attack.
To mark these session Cookies (CFID, CFTOKEN, jsessionid HttpOnly), add the following jvm property -


Currently there is a limitation on JBoss/Tomcat for marking jsessionid cookie as httponly.

Any other ColdFusion cookies can be marked as HttpOnly by using "httponly" attriibute of cfcookie tag.


You can subscribe to the comments by licking on "Subscribe by email".