We help IT Professionals succeed at work.

Make all cookies HTTPOnly cookies in ColdFusion

Medium Priority
376 Views
Last Modified: 2013-11-16
Hello,

In ColdFusion, I want to make all of my cookies HttpOnly cookies, so that they are not accessible by JavaScript and not a vulnerability for Cross-Site Scripting. Does anyone know how to do this?

(Also, when these cookies are HttpOnly, they will no longer be considered "insecure," correct? I have been told that my cookies are insecure for SSL. I don't use SSL, so I want to make them HttpOnly so they are not marked insecure for something I am not even using!)

Thanks,

Ned
Comment
Watch Question

CERTIFIED EXPERT
Commented:
you can use this..

<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

http://www.petefreitag.com/item/644.cfm

(read the note about FF...it may be fixed..or not)

also know that some vuln scans (like PCI) will flag cftoken/cfide pairs as guessable and therefore insecure. Use  jSessionid exclusively to avoid this.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Can I put that tag anywhere before the first <html> tag in the page?
CERTIFIED EXPERT

Commented:
yes
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.