With ColdFusion 901 release now ColdFusion Session Cookies can be marked HttpOnly. This reduces the chance of session information being compromised on Cross Site Scripting (XSS) attack.
To mark these session Cookies (CFID, CFTOKEN, jsessionid HttpOnly), add the following jvm property -
coldfusion.sessioncookie.httponly=true
Currently there is a limitation on JBoss/Tomcat for marking jsessionid cookie as httponly.
Any other ColdFusion cookies can be marked as HttpOnly by using "httponly" attriibute of cfcookie tag.
Thanks
ReplyDeleteGlad to know this has been covered in Coldfusion 9.
Arshad
Thanks Arshad
ReplyDelete