[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Making CFAUTHORIZATION_ an HTTPOnly cookie on 1st login

Posted on 2009-04-19
3
Medium Priority
?
936 Views
Last Modified: 2013-12-20
It is recommended that all cookies be HTTPOnly these days . But I have had a lot of trouble getting ColdFusion's built-in security cookies to be HTTPOnly.

I am using J2EE login scheme.

When user logs in, two security cookie variables are set:
JSESSIONID
CFAUTHORIZATION_nameOfMyApp

To make these HTTPOnly, I do this:

1) in <cfapplication> tag, I set    setclientcookies="false"   (this means that I will set security cookies manually so I can make them HTTPOnly)

2) after <cfapplication> tag, I do this:
<cfif IsDefined("cookie.JSESSIONID")>
      <cfheader name="Set-Cookie" value="JSESSIONID=#cookie.JSESSIONID#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />
</cfif>
(I write over the cookie with the same variable but make HTTPOnly)

3) I also do this (same thing, but with CFAUTHORIZATION_ instead):
<cfif IsDefined("cookie.CFAUTHORIZATION_myApp")>
      <cfheader name="Set-Cookie" value="CFAUTHORIZATION_myApp=#cookie.CFAUTHORIZATION_myApp#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />
</cfif>


Problem: when user first logs in, CFAUTHORIZATION does not exist, so I do not enter conditional to set it as HTTPOnly. Therefore it is non-HTTPOnly for 1st screen. (From then on in, it is properly set.)

This is a security hole. I have tried manually finding where it is set in the login scheme and making it HTTPOnly immediately, but I can't track it down.

Can anyone help?

great resource to start:
http://www.12robots.com/index.cfm/2009/1/8/mmmmMMmmmmmmm-Cookies-part-2--Security-Series-121
0
Comment
Question by:masterorb
  • 2
3 Comments
 

Author Comment

by:masterorb
ID: 24181798
Please note: this is also a great resource, this person says he has a solution with <cflocation> for setting JSESSIONID, but I'm not sure how that works and what it has to do with CFAUTHORIZATION

http://www.nabble.com/httponly-td22679906.html
0
 
LVL 27

Accepted Solution

by:
azadisaryev earned 2000 total points
ID: 24182672
iirc, if you set loginstorage="session" in your <cfapplication> tag then CF will NOT create the CFAUTHORIZATION_myApp cookie at all - it will only create a session variable named CFAUTHORIZATION_myApp.

Azadi
0
 

Author Closing Comment

by:masterorb
ID: 31572231
Wow! You did it! Azadi you are a genius. I hope they are paying you enough. I am serious you have saved me like 10 times now. THANKY OU!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question