Author: Steven Neiland
Published:

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

If you have a site that you want to enforce the use of ssl on, one way of doing this is to mark cookies as secure. The secure flag tells the user's browser to only send back the cookie over ssl (HTTPS) connections. This means that the browser will never send a cookie marked secure over a http connection.

This Is A Server Wide Setting

Warning: This setting will affect all sites on that cf instance on your server. This means that all sites must be using ssl as any site which is not will not be able to maintain state using cookies. I was caught by this recently when we setup a new site which did not require or possess an ssl cert onto a server that had originally been configured for ssl only.

A solution to this problem is to create a dedicated cf instance for ssl only websites and another for non ssl enforced websites.

Locate The Jrun-web xml Config File

To set cookies secure in ColdFusion you need to edit the jrun-web xml file. If you are using a multi instance setup then you will have one file per instance. Assuming the default install locations the file can be located here:

ColdFusion Standard

C:\ColdFusion9\wwwroot\WEB-INF\jrun-web xml

ColdFusion Enterprise

C:\JRun4\servers\{servername}\cfusion.ear\cfusion.war\WEB-INF\jrun-web xml

Setting The Secure Flag

To set the secure flag on session cookies locate the session-config section of the file and add or modify the cookie config section with the cookie-secure rule so that your config looks something like this.

<jrun-web-app>
      <session-config>
            <cookie-config>
                  <active>true</active>
                  <cookie-secure>true</cookie-secure>
            </cookie-config>
      </session-config>
</jrun-web-app>

Now restart ColdFusion to load the new configuration and test using something like the web developer plugin for firefox to inspect the cookies sent.

Related Blog Postings

What Do You Think?

Reader Comments

Eric Davis's Gravatar
Eric Davis
Monday, April 11, 2016 at 3:10:08 PM EDT

Hi Steven,
Thanks for the article. Very helpful. I did make the change to my jrun-web.xml file for a specific instance. I restarted the instance but I don't see the Secure flag being added the CFID and CFTOKEN cookies. Any insight is appreciated.
Cheers,
Eric

Steven Neiland's Gravatar
Steven Neiland
Saturday, April 23, 2016 at 10:54:58 AM EDT

@Eric,
Can you provide more information. What version of CF you are running, 7,8,9 etc and standard/enterprise.

Also the contents on the jrun-web.xml file.

Post a Comment

Comment Etiquette:

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain or appear to be advertisments, will not be published.
  • Comments that appear to be created for the purpose of linkbuilding to commercial sites will be removed.

We are all adults here so play nice.

*
*



Archives Blog Listing

Tag Listing

Learn CF In A Week

Treehouse

 
Fork me on GitHub