tracker issue : CF-3039866

select a category, or use search below
(searches all categories and all time range)
Title:

Bug 79691:While I found that CFCOOKIE now supports a httpOnly attribute to send HttpOnly cookies to the browser, the default cookies CF sends (e

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Dirk Eismann / Dirk Eismann (dirk eismann)

Created: 09/02/2009

Components: Security, General

Versions: 9.0

Failure Type: Unspecified

Found In Build/Fixed In Build: 0000 / 266957

Priority/Frequency: Normal / Unknown

Locale/System: English / Platforms All

Vote Count: 1

Problem:

While I found that CFCOOKIE now supports a httpOnly attribute to send HttpOnly cookies to the browser, the default cookies CF sends (e.g. the session cookie with CFIF/CFTOKEN/jsessionid) are *not* HttpOnly.Although it's possible to manually send HttpOnly cookies with the same values to the client, the cookies originally set by CF are still stored on the client side allowing for malicious code to spoof cookie values.It would be very good if CF would provide a setting - either per application or per server - to make CF only send HttpOnly cookies. This would make it easier to help CF applications pass strict security tests inside corporations which often require that only HttpOnly cookies are used.
Method:


Result:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3039866

External Customer Info:
External Company:  
External Customer Name: Dirk Eismann
External Customer Email: 450F45AE446034F8992015D5
External Test Config: 09/02/2009

Attachments:

Comments:

If this feature is possible, it is a MUST-HAVE for security. While there is a somewhat easy way for use to do this with CFID and CFToken right now, there does not seem to be an easy and reliable way to do HTTPOnly with JSESSIONID cookies
Vote by External U.
22926 | November 10, 2011 07:01:05 PM GMT