Making CFAUTHORIZATION_ an HTTPOnly cookie on 1st login

Posted on 2009-04-19
Last Modified: 2013-12-20
It is recommended that all cookies be HTTPOnly these days . But I have had a lot of trouble getting ColdFusion's built-in security cookies to be HTTPOnly.

I am using J2EE login scheme.

When user logs in, two security cookie variables are set:

To make these HTTPOnly, I do this:

1) in <cfapplication> tag, I set    setclientcookies="false"   (this means that I will set security cookies manually so I can make them HTTPOnly)

2) after <cfapplication> tag, I do this:
<cfif IsDefined("cookie.JSESSIONID")>
      <cfheader name="Set-Cookie" value="JSESSIONID=#cookie.JSESSIONID#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />
(I write over the cookie with the same variable but make HTTPOnly)

3) I also do this (same thing, but with CFAUTHORIZATION_ instead):
<cfif IsDefined("cookie.CFAUTHORIZATION_myApp")>
      <cfheader name="Set-Cookie" value="CFAUTHORIZATION_myApp=#cookie.CFAUTHORIZATION_myApp#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />

Problem: when user first logs in, CFAUTHORIZATION does not exist, so I do not enter conditional to set it as HTTPOnly. Therefore it is non-HTTPOnly for 1st screen. (From then on in, it is properly set.)

This is a security hole. I have tried manually finding where it is set in the login scheme and making it HTTPOnly immediately, but I can't track it down.

Can anyone help?

great resource to start:
Question by:masterorb

    Author Comment

    Please note: this is also a great resource, this person says he has a solution with <cflocation> for setting JSESSIONID, but I'm not sure how that works and what it has to do with CFAUTHORIZATION
    LVL 27

    Accepted Solution

    iirc, if you set loginstorage="session" in your <cfapplication> tag then CF will NOT create the CFAUTHORIZATION_myApp cookie at all - it will only create a session variable named CFAUTHORIZATION_myApp.


    Author Closing Comment

    Wow! You did it! Azadi you are a genius. I hope they are paying you enough. I am serious you have saved me like 10 times now. THANKY OU!

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    CFGRID Custom Functionality Series -  Part 1 Hi Guys, I was once asked how it is possible to to add a hyperlink in the cfgrid and open the window to show the data. Now this is quite simple, I have to use the EXT JS library for this and I achiev…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now