tracker issue : CF-4201979

select a category, or use search below
(searches all categories and all time range)
Title:

cookies will be corupt/session will not hold after enable secure cookie custom header to prevent xss vulnerabilities

| View in Tracker

Status/Resolution/Reason: To Track//PRHaveInfo

Reporter/Name(from Bugbase): Norbert Liedert / ()

Created: 04/13/2018

Components: Security

Versions: 2016

Failure Type: Non Functioning

Found In Build/Fixed In Build: CF2016-CHF5 -2016-CHF6 /

Priority/Frequency: Normal / All users will encounter

Locale/System: ALL / Platforms All

Vote Count: 0

Problem Description: After enable custom header in loadbalancer to protect cookies from xss atempts like this https://infosec.mozilla.org/guidelines/web_security#cookies  the cookies will be corrupt /logout from the CFIDE interface on every request.

Steps to Reproduce: add customheader to a loadbalancer like this 
Set-Cookie: {Domain}=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly

Actual Result: Next request logout of the CFIDE admin interface / No login to system possible / Session won't be hold

Expected Result: Hold Session and continue working

Any Workarounds: Not found

Attachments:

Comments:

Hi Norbert, Can you let us know which update you are on. Also, is there any exception/error that you see in the logs Thanks!
Comment by S P.
27839 | April 20, 2018 04:24:13 AM GMT
No response here from anyone? Did someone take the ticket?
Comment by Norbert L.
27708 | May 07, 2018 01:09:24 PM GMT
Hi S Preethi, we use the latest CHFUpdate -->ColdFusion 2016 Update 6. No no Exception are seen in logs. The Cookie will be invalid after the second request.
Comment by Norbert L.
28944 | May 28, 2018 08:46:26 AM GMT