RE: Secure attribute on CF Session Cookies
Thanks. That's helpful. Appreciate it. Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct  125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788 T 631.231.6600 X 119   F 631.434.7022  http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Friday, December 06, 2013 4:09 PM To: cf-talk Subject: Re: Secure attribute on CF Session Cookies On Fri, Dec 6, 2013 at 2:52 PM, Wil Genovese wrote: > > Iè´e seen people request this before due to a PCI security audit. > Usually the best solution, depending on the code, is to switch to J2EE > session variables. Instead of physical cookies the session cookies are > true session cookies in browser memory. This would eliminate the secure > cookies issue. > I think? > You can create a browser session cookie for CFID/CFTOKEN cookies as well, you just have to write the cookies manually. But what Robert was asking about was the secure flag on the cookie, which indicates that the user agent should only send the cookie over a secure connection (eg HTTPS), again you have to do this by writing the cookies manually in CF9 and lower, here's an example showing how to do this: http://www.petefreitag.com/item/764.cfm For CF10 it is easy you just specify in your Application.cfc this.sessioncookie.secure = true Also with CF10 (or Tomcat rather) it will automatically add the secure flag to your JSESSIONID cookie on HTTPS requests, this causes your HTTP and HTTPS requests to be on different sessions, which for security is a good thing, but can lead to issues if you have coded your apps to expect otherwise. More info on that here: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357317 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
On Fri, Dec 6, 2013 at 2:52 PM, Wil Genovese wrote: > > Iè´e seen people request this before due to a PCI security audit. Usually > the best solution, depending on the code, is to switch to J2EE session > variables. Instead of physical cookies the session cookies are true session > cookies in browser memory. This would eliminate the secure cookies issue. > I think? > You can create a browser session cookie for CFID/CFTOKEN cookies as well, you just have to write the cookies manually. But what Robert was asking about was the secure flag on the cookie, which indicates that the user agent should only send the cookie over a secure connection (eg HTTPS), again you have to do this by writing the cookies manually in CF9 and lower, here's an example showing how to do this: http://www.petefreitag.com/item/764.cfm For CF10 it is easy you just specify in your Application.cfc this.sessioncookie.secure = true Also with CF10 (or Tomcat rather) it will automatically add the secure flag to your JSESSIONID cookie on HTTPS requests, this causes your HTTP and HTTPS requests to be on different sessions, which for security is a good thing, but can lead to issues if you have coded your apps to expect otherwise. More info on that here: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357316 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
Ive seen people request this before due to a PCI security audit. Usually the best solution, depending on the code, is to switch to J2EE session variables. Instead of physical cookies the session cookies are true session cookies in browser memory. This would eliminate the secure cookies issue. I think? Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Dec 6, 2013, at 1:29 PM, Robert Harrison wrote: > > Is there any way to ensure the CFTOKEN and CFID cookies include the "secure" > attribute when sending over https? > > I see no way to do this on CF9. > > Thanks > > Robert Harrison > Director of Interactive Services > > Austin & Williams > Advertising I Branding I Digital I Direct > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 > T 631.231.6600 X 119 F 631.434.7022 > http://www.austin-williams.com > > Blog: http://www.austin-williams.com/blog > Twitter: http://www.twitter.com/austi > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357314 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
> Is there any way to ensure the CFTOKEN and CFID cookies include the "secure" > attribute when sending over https? > > I see no way to do this on CF9. You need to disable CF's automatic setting of those cookies, then set them yourself with CFCOOKIE. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357313 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm