How do I make JSESSIONID HTTPOnly in ColdFusion?

Posted on 2009-05-01
Medium Priority
Last Modified: 2013-12-20
I am using built-in JSESSIONID as a cookie in ColdFusion to keep track of sessions.

When I do this, ColdFusion does NOT make this cookie HTTPOnly. This means it is vulnerable to JavaScript attacks.

I tried many ways to make it HTTPOnly. The one that ended up looking like it worked was this:

<!--- if the cookie is defined, reset it to be HTTPOnly --->
<cfif IsDefined("cookie.JSESSIONID")>
      <cfheader name="Set-Cookie" value="JSESSIONID=#cookie.JSESSIONID#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />

This looked like it worked when tracking cookie with Firebug (http://getfirebug.com/) and Firecookie (https://addons.mozilla.org/en-US/firefox/addon/6683).

BUt when I ran security test, it said that JSESSIONID was not HTTPOnly.

 Is there any way to make JSESSIONID an HTTPOnly cookie?


PS THis site explores how to do this with CFID and CFTOKEN variables:

 (see comments at bottom)

But I am using JSESSIONID, not CFID and CFTOKEN.

Question by:adnank
  • 4
  • 2
LVL 27

Expert Comment

ID: 24285189
you should also have setClientCookies="false" in <cfapplication> tag in your Application.cfm (or THIS.setclientcookies="fale" in the constructor part if you are using Application.cfc).

depending on WHERE the cookie-resetting code is in your application, cookie.jsessionid may very well NOT be defined yet, thus your code to set it as http-only will NOT execute...


Author Comment

ID: 24285351
setclientcookies is = false.

The code to set JSESSIONID is very near the top of the page (after I set a debug flag, then do <cfapplication>, then set header specs for caching cookies, then set header specs for mod_gzip for speed).

Here is Application.cfm

<!--- page start --->

<!--- debug flag --->
<cfset Variables.debugFlag = 0>

<!--- start application --->
      name="MYAPP" applicationtimeout=#CreateTimeSpan(0, 2, 0, 0)#
      clientmanagement = "false" clientstorage="cookie" setclientcookies = "false"      
      setdomaincookies = "false"
      sessionManagement = "true" sessionTimeout=#CreateTimeSpan(0,0,20,0)#
      scriptProtect = "all"

<!--- line-by-line explanation:
      1. the application's name is MYAPP; it times out in 2 days
      2. client variables are disabled; make sure ColdFusion does not
            write client or session token cookies so they can be made secure manually
            (see http://www.12robots.com/index.cfm/2009/1/8/mmmmMMmmmmmmm-Cookies-part-2--Security-Series-121)
      3. setdomaincookies is only meaningful for a clustered environment
      4. session variables are enabled; session vars time out in 20 minutes
      5. built-in XSS protection is turned on for form, url, cgi, and cookie variables
      6. any logins are stored in the session scope to avoid making CFAUTHORIZATION var

<!--- avoid having cached cookies --->
<cfheader name="Cache-control" value="no-cache='set-cookie'"

<!--- speed up delivery of page (as per YSlow: http://developer.yahoo.com/yslow/) --->
<cfheader name="Content-encoding" value="mod_gzip">

<!--- ensure that JSESSIONID is HTTPOnly --->
<cfif IsDefined("cookie.JSESSIONID")>
       <cfheader name="Set-Cookie" value="JSESSIONID=#cookie.JSESSIONID#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />

<!--- page continues --->
LVL 27

Accepted Solution

azadisaryev earned 2000 total points
ID: 24285542
ok, reading that Jason's post from his 12robots blog, you can see, at the very end, that he sais that this <cfheader> trick does not work for JSESSIONID cookie:

"I have tried this with jsessionid and it does not seem to work. If anyone has an experience with making the jsessionid token cookie secure, I would love to learn about it."

but in the very first comment to that post you will find a link to the solution that seems to work:

you need to use <cfcookie> tag to set JSESSIONID cookie.


Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Author Comment

ID: 24311067
Thanks. I read that. That makes the cookies secure, not HTTPOnly, and it seems to be as far as anyone's gotten. I know if someone had moved forward more on this issue, you would know.

It's clear to me that ColdFusion simply isn't on top of this -- I'll look for JSESSIONID to be HTTPOnly in future releases.

LVL 27

Expert Comment

ID: 24311437
don't give up yet!
have you tried something like this?:

<cfif structKeyExists(cookie, 'jsessionid')>  

i do not have access to any security test suites to test it out, but i think this might work...

LVL 27

Expert Comment

ID: 24325723
PS: just saw a new post by Jason Dean on his blog that seems to have the solution for this:


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question