[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 352
  • Last Modified:

Make all cookies HTTPOnly cookies in ColdFusion

Hello,

In ColdFusion, I want to make all of my cookies HttpOnly cookies, so that they are not accessible by JavaScript and not a vulnerability for Cross-Site Scripting. Does anyone know how to do this?

(Also, when these cookies are HttpOnly, they will no longer be considered "insecure," correct? I have been told that my cookies are insecure for SSL. I don't use SSL, so I want to make them HttpOnly so they are not marked insecure for something I am not even using!)

Thanks,

Ned
0
masterorb
Asked:
masterorb
  • 2
1 Solution
 
SidFishesCommented:
you can use this..

<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

http://www.petefreitag.com/item/644.cfm

(read the note about FF...it may be fixed..or not)

also know that some vuln scans (like PCI) will flag cftoken/cfide pairs as guessable and therefore insecure. Use  jSessionid exclusively to avoid this.
0
 
masterorbAuthor Commented:
Can I put that tag anywhere before the first <html> tag in the page?
0
 
SidFishesCommented:
yes
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now