Author: Steven Neiland
Published:

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Using HTTPOnly cookies prevents session cookies from being hijacked via a javascript XSS attack on modern browsers. The method of implementing this depends on the version of Coldfusion you are running, or if you are running Railo the jsp servlet engine you are using.

Railo 3 on Resin

To enable http only sessions in railo when using the resin engine we must edit the resin.conf file. For me this was located in the '[path_to_railo]/railo[version number]/conf/' directory. Open this file, uncomment the following line and restart railo.

<!-- For security, set the HttpOnly flag in cookies.-->
<cookie-http-only/>

Railo on Tomcat

To enable http only sessions in railo on tomcat we have the choice of editing the context xml file to make this setting global for all sites, or editing an individual context in the server xml file.

In either instance open the relevant config file in the "/[path_to_railo]/railo/tomcat/conf/" directory. and change the following.

<!--- Change this --->
<!--- <Context> --->
<!-- To this--->
<Context useHttpOnly="true">

Coldfusion 9.0.1

The ColdFusion 9.0.1 update adds support for httponly cookies using a java system property called 'coldfusion.sessioncookie.httponly'. To turn this on edit editing the jvm.config and add the following.

 -Dcoldfusion.sessioncookie.httponly=true

If you are running a standalone cf server you can add this in the ColdFusion Administrator.

Coldfusion 9+

If you have not yet applied the latest patches (you did read what I said about patching didnt you), OR if you want to fix the problem in your code you can force httponly cookies by adding the following to your 'Application.cfc' file.

<cfcomponent>
<cfset this.setclientcookies = false>
<cfset this.sessionmanagement = true>
<cffunction name="onSessionStart">
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">
</cffunction>
<cfcomponent>

Coldfusion 8 and Lower

If you are running CF 8 or older you can achieve the same effect by adding the following to your 'Application.cfc' file.

<cfcomponent>
<cfset this.setclientcookies = false>
<cfset this.sessionmanagement = true>
<cffunction name="onSessionStart">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cffunction>
<cfcomponent>

If you are using the 'Application.cfm' file then use the following code.

<cfapplication setclientcookies="false" sessionmanagement="true" name="[appname]">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>

So there you have it, setting your cookies as http only in ColdFusion/Railo. Please keep in mind this is only one step in making your server more secure.

EDIT: Securing The Cookie In Apache

Thanks to @vexeddeveloper for pointing out that the web server issues the cookie before CF/Railo can grab it and secure it. For information on securing the cookie in apache you can follow their guide at http://www.vexeddeveloper.com/post.cfm/httponly-and-secure-cookies. Im not too familiar with using the mod_security module myself so I will do some investigating when I have time to figure out how this approach works.

Related Blog Postings

What Do You Think?

Reader Comments

Karsten Pearce's Gravatar
Karsten Pearce
Tuesday, July 26, 2011 at 11:08:22 AM EDT

We are using CF8 - still, and we had to add a SecRule for our apache server. It seems that ColdFusion issues an insecure cookie before it grabs it and makes it secure. We kept failing a PCI scan because of this. I have the rule posted on my blog - http://www.vexeddeveloper.com/post.cfm/httponly-and-secure-cookies

Charlie Arehart's Gravatar
Charlie Arehart
Wednesday, March 8, 2017 at 8:13:36 AM EST

As an update, the URL to Karsten's blog post has changed (it's mentioned in the comment above and was added by Steven as an "edit" at the bottom of his post). The correct URL is now: http://www.cascadingfalls.com/2011/06/httponly-and-secure-cookies/

Post a Comment

Comment Etiquette:

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain or appear to be advertisments, will not be published.
  • Comments that appear to be created for the purpose of linkbuilding to commercial sites will be removed.

We are all adults here so play nice.

*
*



Archives Blog Listing

Tag Listing

Learn CF In A Week

Treehouse

 
Fork me on GitHub