How do I make JSESSIONID HTTPOnly in ColdFusion?

Posted on 2009-05-01
Last Modified: 2013-12-20
I am using built-in JSESSIONID as a cookie in ColdFusion to keep track of sessions.

When I do this, ColdFusion does NOT make this cookie HTTPOnly. This means it is vulnerable to JavaScript attacks.

I tried many ways to make it HTTPOnly. The one that ended up looking like it worked was this:

<!--- if the cookie is defined, reset it to be HTTPOnly --->
<cfif IsDefined("cookie.JSESSIONID")>
      <cfheader name="Set-Cookie" value="JSESSIONID=#cookie.JSESSIONID#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />

This looked like it worked when tracking cookie with Firebug ( and Firecookie (

BUt when I ran security test, it said that JSESSIONID was not HTTPOnly.

 Is there any way to make JSESSIONID an HTTPOnly cookie?


PS THis site explores how to do this with CFID and CFTOKEN variables:
 (see comments at bottom)

But I am using JSESSIONID, not CFID and CFTOKEN.

Question by:adnank
    LVL 27

    Expert Comment

    you should also have setClientCookies="false" in <cfapplication> tag in your Application.cfm (or THIS.setclientcookies="fale" in the constructor part if you are using Application.cfc).

    depending on WHERE the cookie-resetting code is in your application, cookie.jsessionid may very well NOT be defined yet, thus your code to set it as http-only will NOT execute...


    Author Comment

    setclientcookies is = false.

    The code to set JSESSIONID is very near the top of the page (after I set a debug flag, then do <cfapplication>, then set header specs for caching cookies, then set header specs for mod_gzip for speed).

    Here is Application.cfm

    <!--- page start --->

    <!--- debug flag --->
    <cfset Variables.debugFlag = 0>

    <!--- start application --->
          name="MYAPP" applicationtimeout=#CreateTimeSpan(0, 2, 0, 0)#
          clientmanagement = "false" clientstorage="cookie" setclientcookies = "false"      
          setdomaincookies = "false"
          sessionManagement = "true" sessionTimeout=#CreateTimeSpan(0,0,20,0)#
          scriptProtect = "all"

    <!--- line-by-line explanation:
          1. the application's name is MYAPP; it times out in 2 days
          2. client variables are disabled; make sure ColdFusion does not
                write client or session token cookies so they can be made secure manually
          3. setdomaincookies is only meaningful for a clustered environment
          4. session variables are enabled; session vars time out in 20 minutes
          5. built-in XSS protection is turned on for form, url, cgi, and cookie variables
          6. any logins are stored in the session scope to avoid making CFAUTHORIZATION var

    <!--- avoid having cached cookies --->
    <cfheader name="Cache-control" value="no-cache='set-cookie'"

    <!--- speed up delivery of page (as per YSlow: --->
    <cfheader name="Content-encoding" value="mod_gzip">

    <!--- ensure that JSESSIONID is HTTPOnly --->
    <cfif IsDefined("cookie.JSESSIONID")>
           <cfheader name="Set-Cookie" value="JSESSIONID=#cookie.JSESSIONID#;domain=#CGI.SERVER_NAME#;path=/;HTTPOnly" />

    <!--- page continues --->
    LVL 27

    Accepted Solution

    ok, reading that Jason's post from his 12robots blog, you can see, at the very end, that he sais that this <cfheader> trick does not work for JSESSIONID cookie:

    "I have tried this with jsessionid and it does not seem to work. If anyone has an experience with making the jsessionid token cookie secure, I would love to learn about it."

    but in the very first comment to that post you will find a link to the solution that seems to work:

    you need to use <cfcookie> tag to set JSESSIONID cookie.



    Author Comment

    Thanks. I read that. That makes the cookies secure, not HTTPOnly, and it seems to be as far as anyone's gotten. I know if someone had moved forward more on this issue, you would know.

    It's clear to me that ColdFusion simply isn't on top of this -- I'll look for JSESSIONID to be HTTPOnly in future releases.

    LVL 27

    Expert Comment

    don't give up yet!
    have you tried something like this?:

    <cfif structKeyExists(cookie, 'jsessionid')>  

    i do not have access to any security test suites to test it out, but i think this might work...

    LVL 27

    Expert Comment

    PS: just saw a new post by Jason Dean on his blog that seems to have the solution for this:


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
    Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now