• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

Make all cookies HTTPOnly cookies in ColdFusion

Hello,

In ColdFusion, I want to make all of my cookies HttpOnly cookies, so that they are not accessible by JavaScript and not a vulnerability for Cross-Site Scripting. Does anyone know how to do this?

(Also, when these cookies are HttpOnly, they will no longer be considered "insecure," correct? I have been told that my cookies are insecure for SSL. I don't use SSL, so I want to make them HttpOnly so they are not marked insecure for something I am not even using!)

Thanks,

Ned
0
masterorb
Asked:
masterorb
  • 2
1 Solution
 
SidFishesCommented:
you can use this..

<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

http://www.petefreitag.com/item/644.cfm

(read the note about FF...it may be fixed..or not)

also know that some vuln scans (like PCI) will flag cftoken/cfide pairs as guessable and therefore insecure. Use  jSessionid exclusively to avoid this.
0
 
masterorbAuthor Commented:
Can I put that tag anywhere before the first <html> tag in the page?
0
 
SidFishesCommented:
yes
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now