The current application that I'm working on was required to have a security and vulnerability test from an outside consulting firm. The only issue that they had was that we needed to harden session cookies and offered to two solutions below.
1.They recommended that the HTTPONLY (stops client side scripts from reading the cookies) flag be set on all cookies that hold authentication or session management. Coldfusion does not currently provide a way to set cftoken and cfid as httponly with the cfcookie tag. I was wondering if a something like this would work, set in the application file? <cfheader name="Set-Cookie" value="CFID=#Session.CFID#;HttpOnly"> <cfheader name="Set-Cookie" value="CFTOKEN=#Session.CFTOKEN#;HttpOnly"> 2. They also want all cookies to be set through ssl. As I understand the only way to set cookies as secure="yes" is to have the request go through https, but we do not want to have to run all are pages through ssl. Does anyone know of a way to set the CFID and CFTOKEN cookies in a secure mode? Thank You, Heath Stein ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312905 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
