How do I make JSESSIONID HTTPOnly in ColdFusion?
I am using built-in JSESSIONID as a cookie in ColdFusion to keep track of sessions.
When I do this, ColdFusion does NOT make this cookie HTTPOnly. This means it is vulnerable to JavaScript attacks.
I tried many ways to make it HTTPOnly. The one that ended up looking like it worked was this:
<!--- if the cookie is defined, reset it to be HTTPOnly --->
<cfif IsDefined("cookie.JSESSION
<cfheader name="Set-Cookie" value="JSESSIONID=#cookie.
</cfif>
This looked like it worked when tracking cookie with Firebug (http://getfirebug.com/) and Firecookie (https://addons.mozilla.org/en-US/firefox/addon/6683).
BUt when I ran security test, it said that JSESSIONID was not HTTPOnly.
Is there any way to make JSESSIONID an HTTPOnly cookie?
Thanks!
PS THis site explores how to do this with CFID and CFTOKEN variables:
http://www.12robots.com/index.cfm/2009/1/8/mmmmMMmmmmmmm-Cookies-part-2--Security-Series-121
(see comments at bottom)
But I am using JSESSIONID, not CFID and CFTOKEN.
httponly-cookie.png
httponly-cookie-code.png
When I do this, ColdFusion does NOT make this cookie HTTPOnly. This means it is vulnerable to JavaScript attacks.
I tried many ways to make it HTTPOnly. The one that ended up looking like it worked was this:
<!--- if the cookie is defined, reset it to be HTTPOnly --->
<cfif IsDefined("cookie.JSESSION
<cfheader name="Set-Cookie" value="JSESSIONID=#cookie.
</cfif>
This looked like it worked when tracking cookie with Firebug (http://getfirebug.com/) and Firecookie (https://addons.mozilla.org/en-US/firefox/addon/6683).
BUt when I ran security test, it said that JSESSIONID was not HTTPOnly.
Is there any way to make JSESSIONID an HTTPOnly cookie?
Thanks!
PS THis site explores how to do this with CFID and CFTOKEN variables:
http://www.12robots.com/index.cfm/2009/1/8/mmmmMMmmmmmmm-Cookies-part-2--Security-Series-121
(see comments at bottom)
But I am using JSESSIONID, not CFID and CFTOKEN.
httponly-cookie.png
httponly-cookie-code.png
ASKER
setclientcookies is = false.
The code to set JSESSIONID is very near the top of the page (after I set a debug flag, then do <cfapplication>, then set header specs for caching cookies, then set header specs for mod_gzip for speed).
Here is Application.cfm
<!--- page start --->
<!--- debug flag --->
<cfset Variables.debugFlag = 0>
<!--- start application --->
<cfapplication
name="MYAPP" applicationtimeout=#Create
clientmanagement = "false" clientstorage="cookie" setclientcookies = "false"
setdomaincookies = "false"
sessionManagement = "true" sessionTimeout=#CreateTime
scriptProtect = "all"
loginstorage="session">
<!--- line-by-line explanation:
1. the application's name is MYAPP; it times out in 2 days
2. client variables are disabled; make sure ColdFusion does not
write client or session token cookies so they can be made secure manually
(see http://www.12robots.com/index.cfm/2009/1/8/mmmmMMmmmmmmm-Cookies-part-2--Security-Series-121)
3. setdomaincookies is only meaningful for a clustered environment
4. session variables are enabled; session vars time out in 20 minutes
5. built-in XSS protection is turned on for form, url, cgi, and cookie variables
6. any logins are stored in the session scope to avoid making CFAUTHORIZATION var
--->
<!--- avoid having cached cookies --->
<cfheader name="Cache-control" value="no-cache='set-cooki
<!--- speed up delivery of page (as per YSlow: http://developer.yahoo.com/yslow/) --->
<cfheader name="Content-encoding" value="mod_gzip">
<!--- ensure that JSESSIONID is HTTPOnly --->
<cfif IsDefined("cookie.JSESSION
<cfheader name="Set-Cookie" value="JSESSIONID=#cookie.
</cfif>
<!--- page continues --->
The code to set JSESSIONID is very near the top of the page (after I set a debug flag, then do <cfapplication>, then set header specs for caching cookies, then set header specs for mod_gzip for speed).
Here is Application.cfm
<!--- page start --->
<!--- debug flag --->
<cfset Variables.debugFlag = 0>
<!--- start application --->
<cfapplication
name="MYAPP" applicationtimeout=#Create
clientmanagement = "false" clientstorage="cookie" setclientcookies = "false"
setdomaincookies = "false"
sessionManagement = "true" sessionTimeout=#CreateTime
scriptProtect = "all"
loginstorage="session">
<!--- line-by-line explanation:
1. the application's name is MYAPP; it times out in 2 days
2. client variables are disabled; make sure ColdFusion does not
write client or session token cookies so they can be made secure manually
(see http://www.12robots.com/index.cfm/2009/1/8/mmmmMMmmmmmmm-Cookies-part-2--Security-Series-121)
3. setdomaincookies is only meaningful for a clustered environment
4. session variables are enabled; session vars time out in 20 minutes
5. built-in XSS protection is turned on for form, url, cgi, and cookie variables
6. any logins are stored in the session scope to avoid making CFAUTHORIZATION var
--->
<!--- avoid having cached cookies --->
<cfheader name="Cache-control" value="no-cache='set-cooki
<!--- speed up delivery of page (as per YSlow: http://developer.yahoo.com/yslow/) --->
<cfheader name="Content-encoding" value="mod_gzip">
<!--- ensure that JSESSIONID is HTTPOnly --->
<cfif IsDefined("cookie.JSESSION
<cfheader name="Set-Cookie" value="JSESSIONID=#cookie.
</cfif>
<!--- page continues --->
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I read that. That makes the cookies secure, not HTTPOnly, and it seems to be as far as anyone's gotten. I know if someone had moved forward more on this issue, you would know.
It's clear to me that ColdFusion simply isn't on top of this -- I'll look for JSESSIONID to be HTTPOnly in future releases.
Thanks!
It's clear to me that ColdFusion simply isn't on top of this -- I'll look for JSESSIONID to be HTTPOnly in future releases.
Thanks!
don't give up yet!
have you tried something like this?:
<cfif structKeyExists(cookie, 'jsessionid')>
<cfcookie
name="jsessionid"
value="#cookie['jsessionid
secure="Yes">
</cfif>
i do not have access to any security test suites to test it out, but i think this might work...
Azadi
have you tried something like this?:
<cfif structKeyExists(cookie, 'jsessionid')>
<cfcookie
name="jsessionid"
value="#cookie['jsessionid
secure="Yes">
</cfif>
i do not have access to any security test suites to test it out, but i think this might work...
Azadi
PS: just saw a new post by Jason Dean on his blog that seems to have the solution for this:
http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH
Azadi
http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH
Azadi
depending on WHERE the cookie-resetting code is in your application, cookie.jsessionid may very well NOT be defined yet, thus your code to set it as http-only will NOT execute...
Azadi