I am using built-in JSESSIONID as a cookie in ColdFusion to keep track of sessions.
I tried many ways to make it HTTPOnly. The one that ended up looking like it worked was this:
<!--- if the cookie is defined, reset it to be HTTPOnly --->
<cfheader name="Set-Cookie" value="JSESSIONID=#cookie.
This looked like it worked when tracking cookie with Firebug (http://getfirebug.com/
) and Firecookie (https://addons.mozilla.org/en-US/firefox/addon/6683
BUt when I ran security test, it said that JSESSIONID was not HTTPOnly.
Is there any way to make JSESSIONID an HTTPOnly cookie?
PS THis site explores how to do this with CFID and CFTOKEN variables:
(see comments at bottom)
But I am using JSESSIONID, not CFID and CFTOKEN.