Set Session Cookies as HTTPOnly in Coldfusion / Railo

Author: Steven Neiland

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Using HTTPOnly cookies prevents session cookies from being hijacked via a javascript XSS attack on modern browsers. The method of implementing this depends on the version of Coldfusion you are running, or if you are running Railo the jsp servlet engine you are using.

Railo 3 on Resin

To enable http only sessions in railo when using the resin engine we must edit the resin.conf file. For me this was located in the '[path_to_railo]/railo[version number]/conf/' directory. Open this file, uncomment the following line and restart railo.

<!-- For security, set the HttpOnly flag in cookies.-->

Railo on Tomcat

To enable http only sessions in railo on tomcat we have the choice of editing the context.xml file to make this setting global for all sites, or editing an individual context in the server.xml file.

In either instance open the relevant config file in the "/[path_to_railo]/railo/tomcat/conf/" directory. and change the following.

<!--- Change this --->
<!--- <Context> --->
<!-- To this--->
<Context useHttpOnly="true">

Coldfusion 9.0.1

The ColdFusion 9.0.1 update adds support for httponly cookies using a java system property called 'coldfusion.sessioncookie.httponly'. To turn this on edit editing the jvm.config and add the following.


If you are running a standalone cf server you can add this in the ColdFusion Administrator.

Coldfusion 9+

If you have not yet applied the latest patches (you did read what I said about patching didnt you), OR if you want to fix the problem in your code you can force httponly cookies by adding the following to your 'Application.cfc' file.

<cfset this.setclientcookies = false>
<cfset this.sessionmanagement = true>
<cffunction name="onSessionStart">
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">

Coldfusion 8 and Lower

If you are running CF 8 or older you can achieve the same effect by adding the following to your 'Application.cfc' file.

<cfset this.setclientcookies = false>
<cfset this.sessionmanagement = true>
<cffunction name="onSessionStart">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

If you are using the 'Application.cfm' file then use the following code.

<cfapplication setclientcookies="false" sessionmanagement="true" name="[appname]">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">

So there you have it, setting your cookies as http only in ColdFusion/Railo. Please keep in mind this is only one step in making your server more secure.

EDIT: Securing The Cookie In Apache

Thanks to @vexeddeveloper for pointing out that the web server issues the cookie before CF/Railo can grab it and secure it. For information on securing the cookie in apache you can follow their guide at Im not too familiar with using the mod_security module myself so I will do some investigating when I have time to figure out how this approach works.

Related Blog Postings

Reader Comments

Karsten Pearce's Gravatar
Karsten Pearce
Tuesday, July 26, 2011 at 11:08:22 AM Coordinated Universal Time

We are using CF8 - still, and we had to add a SecRule for our apache server. It seems that ColdFusion issues an insecure cookie before it grabs it and makes it secure. We kept failing a PCI scan because of this. I have the rule posted on my blog -

Charlie Arehart's Gravatar
Charlie Arehart
Wednesday, March 8, 2017 at 8:13:36 AM Coordinated Universal Time

As an update, the URL to Karsten's blog post has changed (it's mentioned in the comment above and was added by Steven as an "edit" at the bottom of his post). The correct URL is now:

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain advertisments or appear to be created for the purpose of link building, will not be published.

Archives Blog Listing