It is recommended that all cookies be HTTPOnly these days . But I have had a lot of trouble getting ColdFusion's built-in security cookies to be HTTPOnly.
I am using J2EE login scheme.
When user logs in, two security cookie variables are set:
To make these HTTPOnly, I do this:
1) in <cfapplication> tag, I set setclientcookies="false" (this means that I will set security cookies manually so I can make them HTTPOnly)
2) after <cfapplication> tag, I do this:
<cfheader name="Set-Cookie" value="JSESSIONID=#cookie.
(I write over the cookie with the same variable but make HTTPOnly)
3) I also do this (same thing, but with CFAUTHORIZATION_ instead):
<cfheader name="Set-Cookie" value="CFAUTHORIZATION_myA
Problem: when user first logs in, CFAUTHORIZATION does not exist, so I do not enter conditional to set it as HTTPOnly. Therefore it is non-HTTPOnly for 1st screen. (From then on in, it is properly set.)
This is a security hole. I have tried manually finding where it is set in the login scheme and making it HTTPOnly immediately, but I can't track it down.
Can anyone help?
great resource to start: