0 Replies Latest reply on Jun 26, 2014 8:16 AM by BreakawayPaul

    Missing HttpOnly Attribute in Session Cookie

    BreakawayPaul Level 2

      I was just given a security scan result for one of our web apps that showed two problems:

       

      1. Missing HttpOnly Attribute in Session Cookie
      2. Missing Secure Attribute in Encrypted Session (SSL) Cookie

       

      The interesting thing is that I have both client and domain cookies set to "No" in my Application.cfm file (this is an old application that uses CF8.  Maybe I don't understand the concept?

       

      I found a piece of code that's supposed to secure cookies:

      <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>

         <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">

         <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

      </cfif>

       

      But I get session.cfid and session.cftoken undefined errors.  Before I wrack my brain on something I obviously don't get, can someone steer me in the right direction?

       

      Thanks in advance!