39 Replies Latest reply on Sep 8, 2014 11:34 PM by BKBK

    How to Set up HTTPOnly and SECURE FLAG for session cookies

    Abdul L Koyappayil Level 1

      Hi All,

       

      To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.

       

      I have found the below solutions.

       

      For setting up the HTTPOnly for the session cookies.

      1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables

           this.sessioncookie.httponly = true;

       

      For setting up the secure flag for the session cookies.

       

      2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables

           this.sessioncookie.secure = "true"

       

       

      Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).

       

      <cfapplication setclientcookies="false" sessionmanagement="true" name="test">

      <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>

        <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">

        <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

      </cfif>

       

      But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.

       

      Your timely help is well appreciated.

       

      Thanks in advance.

        • 1. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
          BKBK Adobe Community Professional & MVP

          Abdul L Koyappayil wrote:

           

          Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10).

          You can do it in the Coldfusion Administrator. Navigate to the Memory Variables page. Tick the checkbox HTTPOnly. Click on the button to Submit Changes.

          • 2. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
            Abdul L Koyappayil Level 1

            Hi BKBK,

             

            Thanks for your comments.

             

            I understood ,you answered to the question. But I have few questions here.

             

            1]We dont have access to check this in CF Admin->Server Settings->Memory Variables. Any way This is a server level side solution and it may impact other applications in the same instance as well.Right?? But I think the impact is not a negative impact as we are just securing the session cookies.Right???

             

            2]To do this via code , In Application.cfm (not using Application.cfc as our application is existing and old one) I created a structure with the required properties and passed this to the "sessioncookie" attribute in "cfapplication" tag as below.

             

              <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

              <cfapplication name="mer_auth_lookup" sessionmanagement="yes" setclientcookies="yes" sessioncookie=#cf_ssn_cookies# >

             

            But it seems to be not working when I checked using chrome developer tools where I found empty values for the columns HTTP and SECURE as in the attached screen shot.

             

            cookies2.png

            Here Could you pls tell me the method I followed to set HTTPOnly and Secure flag for the session cookies is correct or not. If it is correct plese let me know whether I am following correct steps using chrome web developer tool to check whether session cookies has been set with HTTPOnly and SECURE flag .

             

            And If I am following correct steps to test why it is not working when checking in chrome developer tools.

            • 3. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
              BKBK Adobe Community Professional & MVP

              Using cfapplication's sessioncookie attribute is fine, too. For completeness, use something like

               

              <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

                <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

              • 4. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                Abdul L Koyappayil Level 1

                so this will set HTTPOnly and SECURE flag for session cookies and I can test it using chrome web developer tool as I mentioned right??? ultimately I wanna know how we can test this whether cookies have been set with HTTPOnly and SECURE flag or not. Any ideas.

                • 5. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                  BKBK Adobe Community Professional & MVP

                  Yes, just use Chrome Developer Tools as you did before. Alternatively, open the page in Firefox, and view the cookies using the Firebug add-on.

                  • 6. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                    Abdul L Koyappayil Level 1

                    But when I did this using chrome I found empty values for the columns HTTP and SECURE against the session cookies CFID and CFTOKEN. I have attached a screen shot for this in the above discussions . Can you pls tell me why this happens then. I restarted the server also but no luck. Any Thoughts???

                    • 7. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                      BKBK Adobe Community Professional & MVP

                      I have just tested with the cfapplication tag I suggested above, and opened the test page in Chrome. It works as expected. The CFID and CFToken cookies are secure and HTTPOnly.

                       

                      Run your own test page in Chrome. Then follow these steps to see the cookies: 4 Ways to View Cookies - wikiHow

                      • 8. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                        Steve Sommers Level 4

                        Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it.

                        • 9. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                          Abdul L Koyappayil Level 1

                          I checked the way you explained and I found that the session cookies( CFID and CFTOKEN ) except JSESSIONID are setting up with HTTPOnly and SECURE flag. For JSESSIONID I am getting following details.

                           


                          Note that when I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES.

                           

                          So I think the the below code that we used is only for CF Session cookies and not for JSESSIONID. So this solution (below code) will not work for JSESSIONID.Right???. Please correct me if I am wrong. If I am correct could you please explain how can I make it work for JSESSIONID.

                           

                          <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

                            <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes"sessioncookie="#cf_ssn_cookies#" >

                           

                          Also When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.

                          • 10. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                            Abdul L Koyappayil Level 1

                            Yes steve I am doing this as a result of PCI vulnerability scan.

                             

                            Steve Sommers wrote:

                             

                            Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it.

                             

                            Sorry, I couldnt undestand the sentence that I have marked as bold and italic,above. Could you please elaborate it in simple words.

                             

                            Also I would like to inform you that when I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well . In the scanning report they have mentioned to set HTTPOnly and SECURE flag for SESSION COOKIES (I think this includes both CF SESSION COOKIES and JSESSIONID). But I think that I need to set those flags only for JSESSIONID (as J2EE SESSION is enabled in CF Admin) and not for CFID and CFTOKEN. Please have your inputs on this.



                            • 11. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                              BKBK Adobe Community Professional & MVP

                              Abdul,

                              Could you split this into different questions, which we can discuss, one at a time? Otherwise it all becomes unnecessarily complex.

                               

                              Your original question was how to set Secure, HTTPOnly cookies and view them in the Chrome browser. If that problem is solved, then please say so, and close the subject, before raising further issues.

                              • 12. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                BKBK Adobe Community Professional & MVP

                                Abdul L Koyappayil wrote:

                                 

                                So I think the the below code that we used is only for CF Session cookies and not for JSESSIONID. So this solution (below code) will not work for JSESSIONID.Right???.

                                Right.

                                • 13. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                  Abdul L Koyappayil Level 1

                                  All these issues are related that is the reason I am asking all these questions here.

                                   

                                  And what about - When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.


                                  I think only the unrelated question is how to set HTTPOnly and Secure flag for Jsessionid , I will post a separate question on this.

                                  • 14. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                    BKBK Adobe Community Professional & MVP

                                    Abdul L Koyappayil wrote:

                                     

                                    So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well . In the scanning report they have mentioned to set HTTPOnly and SECURE flag for SESSION COOKIES (I think this includes both CF SESSION COOKIES and JSESSIONID). But I think that I need to set those flags only for JSESSIONID (as J2EE SESSION is enabled in CF Admin) and not for CFID and CFTOKEN. Please have your inputs on this.

                                    You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

                                    • 15. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                      BKBK Adobe Community Professional & MVP

                                      Abdul L Koyappayil wrote:

                                       

                                      All these issues are related that is the reason I am asking all these questions here.

                                      Fair enough. But not all at once. Acknowledging the questions already answered makes the discussion less complex, hence more fruitful.

                                      • 16. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                        Abdul L Koyappayil Level 1

                                        BKBK wrote:

                                        You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

                                         

                                        I couldnt understand this. I mean how are you relating this with my question.

                                         

                                        I have below questions as below. Kindly go through the below questions. Otherwise If needed I can post separate questions but I think all these are related and no need to post separate quesyions. Bu if you need I can do , np .....

                                         

                                        1] When I removed the below piece of code from Application.cfm file , SECURE flag is not setting but HTTPOnly is always setting irrespective of the below piece of code. Any Idea why this is happening??.

                                            

                                        <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

                                          <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#"setclientcookies="yes"sessioncookie="#cf_ssn_cookies#" >

                                         

                                        2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

                                         

                                        3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.




                                         

                                        • 17. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                          BKBK Adobe Community Professional & MVP

                                          Abdul L Koyappayil wrote:

                                           

                                           

                                          And what about - When I removed the above piece of code from Application.cfm file SECURE flag is not setting but HTTPOnly is always setting irrespective of the above piece of code. Any Idea why this is happening??.

                                          Your description is broad. When you say you removed a piece of code, we still know nothing about what you left in. So what was the content of the Application.cfm that you tested with?

                                          • 18. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                            Abdul L Koyappayil Level 1

                                            Ok I understood....sorry for the confusion..... let me explain.

                                             

                                            Initially I created Application.cfm as below  (only below codes)

                                             

                                            <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

                                             

                                              <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

                                             

                                            Later on I removed the attriobute 'sessioncookie="#cf_ssn_cookies#"' from the cfapplication tag ( This is what I meant to say with "When I removed the above piece of code") .... Sorry for the confusion. So now my Application.cfm contains only below code. At this time SECURE flag is not setting but HTTPOnly is always setting irrespective of the attribute (sessioncookie="#cf_ssn_cookies#") in cfapplication tag.

                                             

                                              <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" >

                                             

                                            I hope you got it ...

                                            • 19. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                              BKBK Adobe Community Professional & MVP

                                              What is your Coldfusion version?

                                              • 20. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                Abdul L Koyappayil Level 1

                                                CF 10 . And web server is Apache

                                                • 21. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                  BKBK Adobe Community Professional & MVP

                                                  Abdul L Koyappayil wrote:

                                                   

                                                  CF 10 . And web server is Apache

                                                  OK, then my assumption was right. CF10 and 11 are built on Tomcat. That is relevant to the discussion. I will now take it up again.

                                                  • 22. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                    BKBK Adobe Community Professional & MVP

                                                    Abdul L Koyappayil wrote:

                                                     

                                                    Ok I understood....sorry for the confusion..... let me explain.

                                                     

                                                    Initially I created Application.cfm as below  (only below codes)

                                                     

                                                    <cfset cf_ssn_cookies = {httponly='true', secure='true'}>

                                                     

                                                      <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

                                                     

                                                    Later on I removed the attriobute 'sessioncookie="#cf_ssn_cookies#"' from the cfapplication tag ( This is what I meant to say with "When I removed the above piece of code") .... Sorry for the confusion. So now my Application.cfm contains only below code. At this time SECURE flag is not setting but HTTPOnly is always setting irrespective of the attribute (sessioncookie="#cf_ssn_cookies#") in cfapplication tag.

                                                     

                                                      <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" >

                                                     

                                                    I hope you got it ...

                                                    Yes, I got it. Thanks. Good test style.

                                                    • 23. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                      Abdul L Koyappayil Level 1

                                                      BKBK wrote:

                                                       

                                                      Yes, I got it. Thanks. Good test style.

                                                       

                                                      What does this mean. the discussion is over or are still working on the three questions that posted above. Just to know....

                                                      • 24. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                        BKBK Adobe Community Professional & MVP

                                                        Abdul L Koyappayil wrote:

                                                         

                                                        BKBK wrote:

                                                        You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

                                                         

                                                        I couldnt understand this. I mean how are you relating this with my question.

                                                        When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.

                                                         

                                                        1] When I removed the below piece of code from Application.cfm file , SECURE flag is not setting but HTTPOnly is always setting irrespective of the below piece of code. Any Idea why this is happening??.

                                                        My bet is that the setting HTTPOnly=true is the default (set, for example, in the Coldfusion Administrator). To switch it off, use

                                                         

                                                        <cfset cf_ssn_cookies = {httponly='false'}>

                                                          <cfapplication name="mer_auth_lookup" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,30,0)#" setclientcookies="yes" sessioncookie="#cf_ssn_cookies#" >

                                                         

                                                        2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

                                                        Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.

                                                         

                                                        3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.

                                                        It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.

                                                        • 25. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                          Abdul L Koyappayil Level 1

                                                          BKBK wrote:

                                                           

                                                          Abdul L Koyappayil wrote:

                                                           

                                                          BKBK wrote:

                                                          You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.

                                                           

                                                          I couldnt understand this. I mean how are you relating this with my question.

                                                          When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.

                                                           

                                                                   

                                                               If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.

                                                           

                                                              

                                                           

                                                          BKBK wrote:

                                                          2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.

                                                          Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.

                                                           

                                                               I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.

                                                           

                                                          BKBK wrote:

                                                          3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.

                                                          It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.

                                                           

                                                               I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

                                                          • 26. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                            BKBK Adobe Community Professional & MVP

                                                            Abdul L Koyappayil wrote:

                                                                   

                                                                 If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.

                                                            Oops, I may have been wrong in assuming it is switched on by default in Tomcat. However, the essential point remains: to set the JsessionID 'secure' flag in Tomcat, not in Coldfusion.

                                                             

                                                            Looking through the Tomcat settings, the prime candidate for configuration is the file {CF_INSTALLATION}\cfusion\runtime\conf\server.xml. Back-up the file before you proceed.

                                                             

                                                            Open the file in a text editor. Uncomment the section

                                                             

                                                            <!--

                                                                <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

                                                                           maxThreads="150" scheme="https" secure="true"

                                                                           clientAuth="false" sslProtocol="TLS" />

                                                                -->

                                                             

                                                            Save the result. Restart Coldfusion.

                                                             

                                                                I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question.

                                                            I answered that already: the most obvious place is in the Coldfusion Administrator.

                                                            • 27. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                              Abdul L Koyappayil Level 1

                                                              I am little confused here. I would like to clarify below things.

                                                               

                                                              You said "When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected."

                                                               

                                                              Here my question : For Apcahe vFabric ,setting secure flag for J2EE session cookie is working in the same way (as you explained above) as Apache Tomacat???

                                                               

                                                              To set secure flag for JSESSIONID we need to uncomment the below section in the file {CF_INSTALLATION}\cfusion\runtime\conf\server.xml. Am I right???.

                                                              If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

                                                              • 28. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                BKBK Adobe Community Professional & MVP

                                                                Good question, Abdul. Change of plan.

                                                                 

                                                                On second thoughts, do not modify the server.xml file as I suggested. That is all too heavy-going and clumsy. There has to be a simpler solution.

                                                                 

                                                                There is one thing I know. Tomcat is configured to automatically flag the JsessionID cookie as secure when it detects HTTPS. The question is, why it fails to set the flag in your case. Let us look into this some more.

                                                                • 29. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                  BKBK Adobe Community Professional & MVP

                                                                  I was indeed mistaken. I have looked a bit more thoroughly at the Tomcat settings. Clearly, the configuration file we should be interested in is {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. Back-up the file before you proceed.

                                                                   

                                                                  Open the file in a text editor. Replace the setting

                                                                   

                                                                      <session-config>

                                                                          <session-timeout>30</session-timeout>

                                                                      </session-config>

                                                                   

                                                                  with the setting

                                                                   

                                                                  <session-config>

                                                                       <session-timeout>30</session-timeout>

                                                                       <cookie-config>

                                                                            <http-only>true</http-only>

                                                                            <secure>true</secure>

                                                                        </cookie-config>

                                                                  </session-config>

                                                                   

                                                                  Save the result. Restart Coldfusion.

                                                                  If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

                                                                  This is a good question. It is in fact what made me have another look.

                                                                   

                                                                  I expect no impact on the application. However, you would have backed up the file, which enables you to return to the previous scenario. You would also run the application a number of times after the change to test whether the settings are working as required. Let us know how you get on.

                                                                  • 30. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                    Abdul L Koyappayil Level 1

                                                                    When I searched internet I found one below.

                                                                     

                                                                    The ColdFusion 9.0.1 update added a server-wide setting to add the httponly attribute to all session cookies created by ColdFusion (such as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To enable this setting, if you are running a JRun J2EE installation or multi-server installation, you must edit jvm.config, otherwise you can enable this setting from the CF Administrator. If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

                                                                    To enable this setting in a JRun J2EE installation or multi-server installation, you must define the following Java system property coldfusion.sessioncookie.httponly and set it to true . You can define Java system properties when the JVM is loaded by adding the following line:

                                                                    -Dcoldfusion.sessioncookie.httponly=true

                                                                    I think there are differenet ways to do this that is depends on J2ee server or Jrun server or muli-server. I am very confused after reading this.

                                                                    Cant take a decision on what should I do to do this.

                                                                    Can you pls guide me to know that how can I check whether my cf is installed on which server like j2ee or jrun or multi-server etc....

                                                                    Accordingly I can put the solution and close this post.




                                                                    • 31. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                      BKBK Adobe Community Professional & MVP

                                                                      Abdul L Koyappayil wrote:

                                                                       

                                                                      When I searched internet I found one below.

                                                                      The ColdFusion 9.0.1 update added a server-wide setting to add the httponly attribute to all session cookies created by ColdFusion (such as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To enable this setting, if you are running a JRun J2EE installation or multi-server installation, you must edit jvm.config, otherwise you can enable this setting from the CF Administrator. If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

                                                                      To enable this setting in a JRun J2EE installation or multi-server installation, you must define the following Java system property coldfusion.sessioncookie.httponly and set it to true . You can define Java system properties when the JVM is loaded by adding the following line:

                                                                      -Dcoldfusion.sessioncookie.httponly=true

                                                                      I think there are differenet ways to do this that is depends on J2ee server or Jrun server or muli-server. I am very confused after reading this.

                                                                      That applies to Coldfusion 9.x. You can safely ignore it, because you are on Coldfusion 10.

                                                                       

                                                                      Coldfusion underwent a big change between versions 9 and 10. The development team replaced the JRun server with Tomcat. That is why it is safe for you to ignore everything that relates to JRun. With one exception, however:

                                                                       

                                                                      If you are running a J2EE server other than JRun consult your documentation for an appropriate setting. J2EE servers that support the Servlet 3.0 specification can specify <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config> in the /WEB-INF/web.xml file.

                                                                      This is equivalent to the suggestion in my last post.

                                                                      • 32. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                        BKBK Adobe Community Professional & MVP

                                                                        Abdul L Koyappayil wrote:

                                                                         

                                                                        Can you pls guide me to know that how can I check whether my cf is installed on which server like j2ee or jrun or multi-server etc....

                                                                        I see that just now. As I have said, Coldfusion 10 and 11 are built on Tomcat. To see the remaining details of your Coldfusion set-up, open the Coldfusion Administrator, and click on the link   in the top right-hand corner.

                                                                        • 33. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                          BKBK Adobe Community Professional & MVP

                                                                          This thread has information that will help someone else in future. If you are satisfied, please mark what you consider to be the correct answer. If you find it necessary, add a further explanatory post, and mark it as the answer.

                                                                          • 34. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                            Abdul L Koyappayil Level 1

                                                                            BKBK wrote:

                                                                             

                                                                            I was indeed mistaken. I have looked a bit more thoroughly at the Tomcat settings. Clearly, the configuration file we should be interested in is {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. Back-up the file before you proceed.

                                                                             

                                                                            Open the file in a text editor. Replace the setting

                                                                             

                                                                                <session-config>

                                                                                    <session-timeout>30</session-timeout>

                                                                                </session-config>

                                                                             

                                                                            with the setting

                                                                             

                                                                            <session-config>

                                                                                 <session-timeout>30</session-timeout>

                                                                                 <cookie-config>

                                                                                      <http-only>true</http-only>

                                                                                      <secure>true</secure>

                                                                                  </cookie-config>

                                                                            </session-config>

                                                                             

                                                                            Save the result. Restart Coldfusion.

                                                                            If I am right , uncommenting the below section will not impact the application(s) any way. What you think???

                                                                            This is a good question. It is in fact what made me have another look.

                                                                             

                                                                            I expect no impact on the application. However, you would have backed up the file, which enables you to return to the previous scenario. You would also run the application a number of times after the change to test whether the settings are working as required. Let us know how you get on.

                                                                             

                                                                            I tried this and restarted the cf instance. And then I checked the jsessionid in chrome browser I got below info , means its not setting the SECURE flag for jsession id. Had you tried this method before.

                                                                             

                                                                             

                                                                            Any thoughts.

                                                                             

                                                                            Note that I am using UNIX and I modified the below file

                                                                            /opt/coldfusion/cfusion/runtime/conf/web.xml

                                                                            • 35. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                              BKBK Adobe Community Professional & MVP

                                                                              I am on Windows, but that should not matter. I have just gone through the steps myself. The JsessionID cookie was stored as secure, as expected.

                                                                               

                                                                              Here are the steps I followed, starting with Coldfusion's original /runtime/conf/web.xml file:

                                                                               

                                                                              1) Open a CFM test page in Chrome.

                                                                               

                                                                              2) Open Chrome's settings and read the JsessionID cookie. Its relevant attributes are

                                                                               

                                                                              Send for: Any kind of connection

                                                                              Accessible to script: No (HttpOnly)

                                                                               

                                                                              3) Open Chrome's History settings and clear all browsing data 'since the beginning of time'. Close Chrome.

                                                                               

                                                                              4) Stop Coldfusion. Edit the web.xml file as follows and save it:

                                                                               

                                                                              <!--

                                                                              <session-config>

                                                                                      <session-timeout>30</session-timeout>

                                                                                  </session-config>

                                                                              -->

                                                                              <session-config>

                                                                                   <session-timeout>30</session-timeout>

                                                                                   <cookie-config>

                                                                                        <http-only>true</http-only>

                                                                                        <secure>true</secure>

                                                                                    </cookie-config>

                                                                              </session-config>

                                                                               

                                                                              5) Restart Coldfusion.

                                                                               

                                                                              6) Open the same CFM test page in Chrome as you did in step 1).

                                                                               

                                                                              7) Open Chrome's settings and read the JsessionID cookie. You should now observe that there is a change from "Send for: Any kind of connection" to "Send for: Secure connections only". See attached image, showing the cookie details before and after.

                                                                               

                                                                              jsessionID_cookie.png



                                                                              • 36. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                                Abdul L Koyappayil Level 1

                                                                                I tried the same thing. But still its not changing. I cleared all the browsing data and cookies and restarted the instance again.

                                                                                 

                                                                                The only difference between me and you is I am working on UNIX environment. So does this make any difference. I am not understanding.

                                                                                 

                                                                                Note :  I am modifying the file - /opt/coldfusion/cfusion/runtime/conf/web.xml. Can you just tell me the file (including path) you are modifying in windows , just to know.

                                                                                jsess_cookie.jpg

                                                                                As Steve Sommers posted - "Question for you: Are you doing this exercise as the result of a PCI vulnerability scan? If so, the scanner is going to complain about predictable CFIDs. This will be the case even if you configure CF to use UUIDs for session tokens (trust me, even though you can prove CFID and CFTOKEN work together, the scanners don't care and you have to appeal every quarter -- a pain). Instead, I recommend you use the "Use J2EE session variables" option. Making the JSession token secure and httponly requires two modifications -- one in the JVM config string in the CF Administrator, the other in an xml config file within the Java directory. Google "coldfusion jsession secure httponly" -- it's worth it."  Do I need to make any modifications in the JVM config string in the CF Administrator as well apart from what we did in web.xml??? .... I was just thinking .....

                                                                                • 37. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                                  BKBK Adobe Community Professional & MVP

                                                                                  As I said earlier, the file I modified was {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. That translates on Windows as C:\ColdFusion11\cfusion\runtime\conf\web.xml.

                                                                                   

                                                                                  Apparently, there might be another difference between your system and mine. I have just one instance. If you have 2 or more instances, it might be that the file you have to modify is \WEB-INF\web.xml within the directory of the particular instance. These are servlet configuration settings which you can safely test (after backing up your files, of course).

                                                                                  • 38. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                                    Abdul L Koyappayil Level 1

                                                                                    Now its working fine. I modified the file /opt/coldfusion/{instance_name}/runtime/conf/web.xml instead of /opt/coldfusion/cfusion/runtime/conf/web.xml as I have more than 2 instances.

                                                                                     

                                                                                    Now I need to think about that is there any issue while a hit is going from https to http. Because when I searched I found that there is hit going to an http site http://xyz.com from my application which is https, https://pqr.com.

                                                                                     

                                                                                    BK , any thoughts on this I mean in which all the ways it(setting secure flag in https application) may impact , if a hit is going from https to http.

                                                                                     

                                                                                    I know this might be a different topic , but still I think it is a related one . If you need to open a new discussion regarding this , no probs I can do that....

                                                                                    • 39. Re: How to Set up HTTPOnly and SECURE FLAG for session cookies
                                                                                      BKBK Adobe Community Professional & MVP

                                                                                      I am glad to hear it now works. You are right: we should explore the new issue in a thread of its own. Refreshing to close one chapter before opening another.