Wednesday, July 28, 2010

ColdFusion Session cookies & HttpOnly

With ColdFusion 901  release now ColdFusion Session Cookies can be marked HttpOnly.  This reduces the chance of session information being compromised on Cross Site Scripting (XSS) attack.
To mark these session Cookies (CFID, CFTOKEN, jsessionid HttpOnly), add the following jvm property -

coldfusion.sessioncookie.httponly=true

Currently there is a limitation on JBoss/Tomcat for marking jsessionid cookie as httponly.

Any other ColdFusion cookies can be marked as HttpOnly by using "httponly" attriibute of cfcookie tag.

2 comments:

  1. Thanks

    Glad to know this has been covered in Coldfusion 9.

    Arshad

    ReplyDelete

You can subscribe to the comments by licking on "Subscribe by email".