How to Set up HTTPOnly and SECURE FLAG for session cookies

Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
     this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
     this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
  <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
  <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.

BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
     If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
     I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
     I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

Similar Messages

  • How to set the gain and input coupling for each channel on a NI 4462 DaQ card?

    I've seen a few examples in how to set the gain for NI 4462, but none tell me how to chose the channel I wish to set this gain.  Also the same problem with input coupling
    Does anyone know how to set the gain and input coupling for each individual channel?
    Thanks,
    Hector
    LabView 8.5 Windows XP

    Hey Hector,
    http://forums.ni.com/ni/board/message?board.id=100&thread.id=1688
    This has a few examples of how to do that.  Let me know if you have further questions.
    Have fun!
    -gaving

  • How to set the Mail and Fax options  for the Smartforms ???

    How to set the Mail and Fax options  for the Smartforms ??? Please reply me very soon. Its a life deciding question now for me. Please .

    >
    veera Karthik wrote:
    > How to set the Mail and Fax options  for the Smartforms ??? Please reply me very soon. Its a life deciding question now for me. Please .
    Hi
    Check this Link:
    http://help.sap.com/saphelp_nw04/helpdata/en/a5/28d3b9d26211d4b646006094192fe3/frameset.htm
    P.S: Never say reply me soon....people answer you here voluntarily and as everyone has their own desk to manage...sp replies may late or early..depending upon the availabality of the members.
    Vishwa.

  • How to set default Header and Footer properties for PDF

    Hi,
    Currently we are manually setting the 'PDF and Print Control' properties for each and every dashboard. We understand that print pdf properties are controlled by pdfstyle.fst file under $SAROOTDIR\web\app\res\s_oracle10\b_mozilla_4 but don't have the exact property names to include in header and footer section.
    By default, we want to include company logo, the saved name of the report/dashboard tab and created time in the header. And page# in the footer.
    Where can we set these and what properties names should be used in order for these to be set for every new request/dashboard that is created.
    Thanks and Regards

    Hi,
    I created one request with logo in the header an page in the footer etc. and called StyleSheet. After you can import this formats by each request.
    You can do this in compound layout.
    Regards,
    Stefan

  • How to find the Connection and Security Code for iPad?

    I have a Canon ImageRunner 3025 at the office. I want to connect it with my iPad. I've downloaded the Canon Print & Scan App, but the app requires a Connection code and Security code.  Where can I find this on the printer? 

    Hi, thanks for posting! Canon does not provide direct support for imageRUNNER series products, but your dealer will be able to help you! If you don't have a dealer, please call us at 1-800-OKCANON (652-2666) and we will be happy to provide dealers who are in your area.

  • How to set up start and end dates for validity of contract account in FICAx

    Hi,
      Can anyone tell me where can I set up the validitiy period for the contract account in FICA. In contract creation, I could just see the contract validity start date. I also need to know the validity end date. Please let me know the solution asap.
    Points will be awarded for all the useful answers.
    Thanks
    Santosh

    Yes, you're right, you would then need to develop a lot of user exits to prevent the re-use of the contract account after the validity date.
    I'm think in a strange solution, it could work but you'll need to test it. if a contract account is marked for deletion (Field FKKVKP-LOEVM equal to 'X') no further action can be made over it, When you create you contract account you can schedule a change using as validity date (Field BUS000FLDS-VALDT ins the change contract account screen) to the end date of you contract account and set this deletion flag. then you run FPP2A to activate the schedule changes, before you get to the end date the flag is not set, when you get to the end date FPP2A will activate the flag and the contract account becomes not usefull.
    If you do this, you have be careful because all the postings to the contract account won't be possible, it means that if there are payment to be made, interests to be calculated, etc... nothing will be posted.
    Cheers,

  • Hey I bought an iPhone off gumtree and everything was well. But then I tried to set it up and it asked for the apple if of the previous owner and so I asked him for it his Apple ID but refused to tell me so I can not use the phone. how do I fix this?

    Hey I bought an iPhone off gumtree and everything was well. But then I tried to set it up and it asked for the apple if of the previous owner and so I asked him for it his Apple ID but refused to tell me so I can not use the phone. how do I fix this?

    Contact them back and have them follow these instructions  Find My iPhone Activation Lock: Removing a device from a previous owner’s account - Apple Support

  • How to set multiple ORACLE_HOME and ORACLE_SID, on Windows

    How to set multiple ORACLE_HOME and ORACLE_SID, on Windows.
    I have 5 oracle instances. Every time if i want to start up the services , I am manually setting the environment variable (ORACLE_HOME and ORACLE_SID) and starting the services one at a time.
    Can we set multiple ORACLE_HOME and ORACLE_SID in Start->My computer-> properties-> advance-> Environment variable.
    Thanks
    Naveen

    Hi ,
    Can you please give me the link, for the doc you are referring to
    Thanks
    Naveen

  • How do I reset my security questions? Normally people are saying something about a rescue email or a thing that will show where your password and security are for me it just shows my two questions  and that is it.- Help

    How do I reset my security questions? Normally people are saying something about a rescue email or a thing that will show where your password and security are for me it just shows my two questions  and that is it.… Help

    Go to Appleid.apple.com and choose Manage ID you can change them from there.
    You can add a rescue email if you don't have one there too.

  • How to set the IP and MAC address in C program?

    My working environment is Sun250 Server, Solaris 7 operating system. I encountered a problem ---- How to set the IP and MAC address in C program to make the system change it IP & MAC at runtime?
    Any idea is welcome! Thanks!

    Hi
    As a simplest possible solution, you can use the system command
    to run ifconfig that can set both the mac address and the IP address of the system. You will have to use setuid though.
    Or you can use the DLPI calls ( do a man DLPI or search for a
    Sun documentation on the same at http://soldc.sun.com) to write
    a pure C program.
    HTH
    Shridhar

  • How to set default currency and Country in R12 financial modules

    Hi all,
    How to set default currency and Country in R12 financial modules (AR,AP,GL,FA,CE) becuase I found some default settings are shown "USD" & "United States" such as create AR Customer, the Country is shown the default "United States"....
    Can anybody advise ?
    Thanks & Regards,

    Hi,
    Change the below profile for the user to a territory different than the US :
    In System Administrator, navigate to Profiles -> System.
    Select Site, Application, and Responsibility.
    Profile options:
    Default Country
    HZ: Reference Territory
    ICX: Territory
    Regards,
    Raju.

  • How to set the WIDTH and ALIGN of h:column in h:dataTable ??

    How to set the WIDTH and ALIGN of <h:column> in <h:dataTable>??
    Thanks a lot!

    Hi,thanks to your reply.
    Now I find a more convenient appraoch to set column's width and align respectively:
    <h:dataTable ...>
    <h:column>
    <f:facet name='header'>
    </f:facet>
    <h:outputText style="width:80px; text-align: right;" value='#{row.fieldA}'/>
    </h:column>
    <h:column>
    <f:facet name='header'>
    </f:facet>
    <h:outputText style="width:120px; text-align: left;" value='#{row.fieldB}'/>
    </h:column>
    </h:dataTable>
    It works fine.
    ^-^

  • How do i Rescue email address and how to reset Apple ID and security questions

    how do i Rescue email address and how to reset Apple ID and security questions

    this may help http://support.apple.com/kb/HT5312

  • How to set the router and play the Command & Conquer using direct IP mode?

    My router is WRT54GFirmware Version: v3.03.1
    How to set the router and play the Command & Conquer using direct IP mode with other computer?

    Hi, when you say direct IP mode, what do you mean ? do you wanna play the game online or on the LAN ??
    can you give a few more details.

  • How to set input delay and output delay when source Synchronous

    ClkIN is the board clock which is connected to the FPGA. Clkif is the generated clock from ClkIN. The Device's clk come from Clkif. So, how to set input delay and output delay in this scene(within my understand, this is Source Synchronous)?
    The example in many document, the input delay and output delay setting all refer to board clock(within my understand, this is System Synchronous). In that scene, the input delay max = TDelay_max + Tco_max; input delay min = Tdelay_min + Tco_min; the output delay max = Tdelay_max + Tsu; output delay min = Tdelay_min - Th.
    So, I want to know how to set input/output delay in the Source Synchronous.
    In system synchronous, I set input/output delay such as:
    create_clock -period 20.000 -name ClkIN -waveform {0.000 10.000} [get_ports ClkIN]
    create_generated_clock -name Clkif -source [get_pins cfg_if/clk_tmp_reg/C] -divide_by 2 [get_pins cfg_if/clk_tmp_reg/Q]
    create_clock -period 40.000 -name VIRTUAL_clkif //make virtual clock
    set_input_delay -clock [get_clocks VIRTUAL_clkif] -min 0.530 [get_ports DIN]
    set_input_delay -clock [get_clocks VIRTUAL_clkif] -max 7.700 [get_ports DIN]
    set_output_delay -clock [get_clocks VIRTUAL_clkif] -min -0.030 [get_ports DOUT]
    set_output_delay -clock [get_clocks VIRTUAL_clkif] -max 1.800 [get_ports DOUT]
    *******************************************************************************************

    So, first. Architecturally, the clock that you forward to your external device should not come directly from the clock tree, but should be output via an ODDR with its D1 input tied to logic 1 and the D2 tied to logic 0. This guarantees minimal skew between the output data and the forwarded clock.
    ODDR #(
    .DDR_CLK_EDGE("OPPOSITE_EDGE"), // "OPPOSITE_EDGE" or "SAME_EDGE"
    .INIT(1'b0), // Initial value of Q: 1'b0 or 1'b1
    .SRTYPE("SYNC") // Set/Reset type: "SYNC" or "ASYNC"
    ) ODDR_inst (
    .Q (Clkif_ff), // 1-bit DDR output
    .C (ClkIN_BUFG), // 1-bit clock input
    .CE (1'b1), // 1-bit clock enable input
    .D1 (1'b1), // 1-bit data input (positive edge)
    .D2 (1'b0), // 1-bit data input (negative edge)
    .R (rst), // 1-bit reset
    .S (1'b0) // 1-bit set
    OBUF OBUF_inst (.I (Clkif_ff), .O (Clkif_out));
    This generates an output clock that is the same frequency as your input clock. This is consistent with your drawing, but inconsistent with your constraints - is the forwarded clock a 50MHz clock or a 25MHz clock?
    I will assume your ClkIN goes to a BUFG and generates ClkIN_BUFG.  Your first constraint generates a 50MHz clock on the ClkIN port which will propagate through the BUFG to (among other places) this ODDR.
    create_clock -period 20.000 -name ClkIN -waveform {0.000 10.000} [get_ports ClkIN]
    Assuming your forwarded clock is supposed to be 50MHz, then your 2nd command is close to correct
    create_generated_clock -name Clkif -source [get_pins cfg_if/ODDR_inst/C] -combinational  [get_pins cfg_if/ODDR_inst/Q]
    With this done, you have successfully described the forwarded clock from your design. This is the clock that goes to your device, and hence should be the clock which is used to specify your input and output constraints.
    set_input_delay -clock [get_clocks Clkif] -min 0.530 [get_ports DIN]
    set_input_delay -clock [get_clocks Clkif] -max 7.700 [get_ports DIN]
    set_output_delay -clock [get_clocks Clkif] -min -0.030 [get_ports DOUT]
    set_output_delay -clock [get_clocks Clkif] -max 1.800 [get_ports DOUT]
    If you want to get fancier, you could try adding a set_clock_latency to the forwarded clock to account for the board propagation of the clock
    set_clock_latency -source TDtrace2 [get_clocks Clkif]
    (But I haven't experimented with clock latency on a generated clock and I don't know for a fact that it works).
    Avrum

Maybe you are looking for