«
»

There is an interesting change in the CF9.0.1 updater that will make CF sites more secure. The CFID and CFToken cookies will now be marked as httpOnly. What this means is your browser will not allow JavaScript to access the CFID and CFToken cookies. I think this will greatly help to reduce XSS hacks on CF sites.

If you are using jSessionID instead of CFID/CFToken, you need to take an additional step. jSessionID is a session cookie, session cookies aren’t httpOnly by default. But if you add a “-Dcoldfusion.sessioncookie.httponly=true” argument in your jvm.config file, all your session cookies will be httpOnly, including jSessionID.

It would be nice if there was an option to the CFCOOKIE tag to mark a cookie as httpOnly or not. Lacking that, you could always send the cookies yourself using cfheader or java.

This entry was posted on 15 July 2010 at 8:41 pm and is filed under ColdFusion. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

6 Comments

  1. John Sieber says:

    I could be wrong, but I thought that I remembered reading that httpOnly attribute was added to the CFCOOKI tag in CF9. Thanks for the tip about adding httpOnly support for jSessionID's as well!

    16 July 2010, 12:00 pm

  2. Ryan says:

    You are right John, you can specify httpOnly per-cookie using the CFCOOKIE tag now!

    16 July 2010, 12:27 pm

  3. Knut says:

    You wrote: …“-Dcoldfusion.sessioncookie.httponly=true”…

    Does this also work in CF-8.0.1 ???

    5 September 2010, 8:07 am

  4. Ryan says:

    No this is for CF 9 only.

    5 September 2010, 1:12 pm

  5. Peter Lorimer says:

    Could this issue cause CFGRID to stop populating from a query after the 9.0.1 update?

    17 February 2013, 6:45 am

  6. Ryan says:

    Peter – no I don’t see how this would cause any issues with CFGRID.

    17 February 2013, 12:32 pm