Menu
We need to ensure that all cookies on a CF7 site are set as HttpOnly.
We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.
Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.
Any suggestions?
Related Question: Setting Secure flag for HTTPS cookies.
564
From: http://www.petefreitag.com/item/764.cfm
Running CF 8 or Lower and using Application.cfc
<cfcomponent>
<cfset this.sessionmanagement = true>
<cfset this.setclientcookies = false>
<cffunction name="onSessionStart">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cffunction>
<cfcomponent>
Make sure you have setclientcookies = false specified.
If Using Application.cfm
If you are still using an Application.cfm file, you can use the following:
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
