Status/Resolution/Reason: Closed/Fixed/
Reporter/Name(from Bugbase): Peter Freitag / Pete Freitag (Peter Freitag)
Created: 03/26/2009
Versions: 9.0
Failure Type: Unspecified
Found In Build/Fixed In Build: 0000 / 229899
Priority/Frequency: Normal / Unknown
Locale/System: English / Platforms All
Vote Count: 1
Problem:
A Attribute httponly is needed for the CFCOOKIE tag. This is a security feature that makes the cookie inaccessible from JavaScript to mitigate XSS attacks. More info here: http://www.petefreitag.com/item/644.cfm
I think I recommended this back during CF8 beta as well, but that bug must have been deleted.
It is now a pretty common practice to use HttpOnly in cookies, and using cfheader is quiet a hack.
Method:
<cfcookie httponly="true">
Result:
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3038010
Deployment Phase: Release Candidate
External Customer Info:
External Company:
External Customer Name: Pete Freitag
External Customer Email: 735D4A6E43D50B6B992016B8
External Test Config: 03/26/2009Attachments:
Comments: