CFID and CFTOKEN

Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies are
generated as “HTTPOnly” and “Secure”? I’ve inherited multiple “legacy” CF
apps that we are converting to Lucee - and our security/IA folks are
hammering me all the time about these two insecure cookies…

I think they already should be, see:

also maybe take a look at this:

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.orgOn 5 April 2016 at 15:03, Sid Wing <@Sid_Wing> wrote:

Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies are
generated as “HTTPOnly” and “Secure”? I’ve inherited multiple “legacy” CF
apps that we are converting to Lucee - and our security/IA folks are
hammering me all the time about these two insecure cookies…


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/dfd936e2-2255-4b96-aa46-dd66d5d3838f%40googlegroups.com
https://groups.google.com/d/msgid/lucee/dfd936e2-2255-4b96-aa46-dd66d5d3838f%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Unfortunately - the switch to J2EE sessions is just not possible the way
this app is coded. I guess I’ll give the “code your own” cookies a whirl -
as that seems to be the only option that looks like it might work.On Tue, Apr 5, 2016 at 2:01 PM, Julian Halliwell <@Julian_Halliwell> wrote:

Have you considered using J2EE sessions? The jsessionid cookie is
automatically set with the secure flag if the connection is over
https.

If that’s not an option, then you could simply specify
setClientCookies=false and instead write the session id/token values
to your own cfid/cftoken cookies using , giving you full
control. That’s what we used to do before switching to J2EE sessions
(which we’ve found much simpler to deal with).

On 5 April 2016 at 15:47, Sid Wing <@Sid_Wing> wrote:

They are marked HTTPOnly - but not “Secure”

On Tuesday, April 5, 2016 at 9:30:43 AM UTC-5, Andrew Dixon wrote:

I think they already should be, see:

On 5 April 2016 at 15:03, Sid Wing sid....@gmail.com wrote:

Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies
are

generated as “HTTPOnly” and “Secure”? I’ve inherited multiple
“legacy” CF

apps that we are converting to Lucee - and our security/IA folks are
hammering me all the time about these two insecure cookies…


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to a topic in the
Google Groups “Lucee” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/lucee/f-HofCD_UeI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAC_5Voq7E3nbJ5BS3JJhJ4jiPeUrENRUo7ikHDbF92y9H3omFw%40mail.gmail.com
.
For more options, visit https://groups.google.com/d/optout.


Sid Wing
“We are dreamers, shapers, singers, and makers. We study the mysteries of
laser and circuit, crystal and scanner, holographic demons and invocations
of equations. These are the tools we employ, and we know many things.” -
Elric

I’ve raised a incompatibility bug report for this:

https://luceeserver.atlassian.net/browse/LDEV-809

Go vote… :slight_smile:

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.orgOn 5 April 2016 at 20:04, Sid Wing <@Sid_Wing> wrote:

Unfortunately - the switch to J2EE sessions is just not possible the way
this app is coded. I guess I’ll give the “code your own” cookies a whirl -
as that seems to be the only option that looks like it might work.

On Tue, Apr 5, 2016 at 2:01 PM, Julian Halliwell < @Julian_Halliwell> wrote:

Have you considered using J2EE sessions? The jsessionid cookie is
automatically set with the secure flag if the connection is over
https.

If that’s not an option, then you could simply specify
setClientCookies=false and instead write the session id/token values
to your own cfid/cftoken cookies using , giving you full
control. That’s what we used to do before switching to J2EE sessions
(which we’ve found much simpler to deal with).

On 5 April 2016 at 15:47, Sid Wing <@Sid_Wing> wrote:

They are marked HTTPOnly - but not “Secure”

On Tuesday, April 5, 2016 at 9:30:43 AM UTC-5, Andrew Dixon wrote:

I think they already should be, see:

On 5 April 2016 at 15:03, Sid Wing sid....@gmail.com wrote:

Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies
are

generated as “HTTPOnly” and “Secure”? I’ve inherited multiple
“legacy” CF

apps that we are converting to Lucee - and our security/IA folks are
hammering me all the time about these two insecure cookies…


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to a topic in the
Google Groups “Lucee” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/lucee/f-HofCD_UeI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAC_5Voq7E3nbJ5BS3JJhJ4jiPeUrENRUo7ikHDbF92y9H3omFw%40mail.gmail.com
.
For more options, visit https://groups.google.com/d/optout.


Sid Wing
“We are dreamers, shapers, singers, and makers. We study the mysteries of
laser and circuit, crystal and scanner, holographic demons and invocations
of equations. These are the tools we employ, and we know many things.” -
Elric


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7uiB9j_P-iXrUTPONe8jpT%2B6GnvK_qd4ZV1SVxfQy1QUw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7uiB9j_P-iXrUTPONe8jpT%2B6GnvK_qd4ZV1SVxfQy1QUw%40mail.gmail.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

Basically - Adobe CF has attributes for its cfapplication tag
(sessioncookie and authcookie) that allow you to configure the parameters
for those:

Example:

<cfset cookiest = {httponly=‘true’, timeout=createTimeSpan(0, 0, 0, 10), secure=‘true’,domain=".domain.com"}>
<cfset cookieast = {timeout=createTimeSpan(0, 0, 00, 10)}>

I am looking for something similar in LuceeOn Tuesday, April 5, 2016 at 9:47:56 AM UTC-5, Sid Wing wrote:

They are marked HTTPOnly - but not “Secure”

On Tuesday, April 5, 2016 at 9:30:43 AM UTC-5, Andrew Dixon wrote:

I think they already should be, see:

https://github.com/getrailo/railo/pull/314

also maybe take a look at this:

http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org

On 5 April 2016 at 15:03, Sid Wing sid....@gmail.com wrote:

Is there a way to configure Lucee to insure that CFID/CFTOKEN cookies
are generated as “HTTPOnly” and “Secure”? I’ve inherited multiple “legacy”
CF apps that we are converting to Lucee - and our security/IA folks are
hammering me all the time about these two insecure cookies…


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/dfd936e2-2255-4b96-aa46-dd66d5d3838f%40googlegroups.com
https://groups.google.com/d/msgid/lucee/dfd936e2-2255-4b96-aa46-dd66d5d3838f%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

So I used a “work around” (manually creating those cookies in the app) for
CFID and CFToken - but there are 4 other CF_CLIENT_ cookies that also get
set (when using clientmanagement) - and NONE of the are HTTPOnly or
Secure…

So - does anyone have a similar workaround for those 4? I know that the
CF_CLIENT_%APPNAME% contains a URL encoded string of all the client
variable name/value pairs (from the look of its contents).On Tuesday, April 5, 2016 at 2:35:09 PM UTC-5, Andrew Dixon wrote:

I’ve raised a incompatibility bug report for this:

https://luceeserver.atlassian.net/browse/LDEV-809

Go vote… :slight_smile:

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org

On 5 April 2016 at 20:04, Sid Wing <sid....@gmail.com <javascript:>> wrote:

Unfortunately - the switch to J2EE sessions is just not possible the way
this app is coded. I guess I’ll give the “code your own” cookies a whirl -
as that seems to be the only option that looks like it might work.

On Tue, Apr 5, 2016 at 2:01 PM, Julian Halliwell <julianh...@gmail.com <javascript:>> wrote:

Have you considered using J2EE sessions? The jsessionid cookie is
automatically set with the secure flag if the connection is over
https.

If that’s not an option, then you could simply specify
setClientCookies=false and instead write the session id/token values
to your own cfid/cftoken cookies using , giving you full
control. That’s what we used to do before switching to J2EE sessions
(which we’ve found much simpler to deal with).

On 5 April 2016 at 15:47, Sid Wing <sid....@gmail.com <javascript:>> wrote:

They are marked HTTPOnly - but not “Secure”

On Tuesday, April 5, 2016 at 9:30:43 AM UTC-5, Andrew Dixon wrote:

I think they already should be, see:

On 5 April 2016 at 15:03, Sid Wing sid....@gmail.com wrote:

Is there a way to configure Lucee to insure that CFID/CFTOKEN
cookies are

generated as “HTTPOnly” and “Secure”? I’ve inherited multiple
“legacy” CF

apps that we are converting to Lucee - and our security/IA folks are
hammering me all the time about these two insecure cookies…


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to a topic in the
Google Groups “Lucee” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/lucee/f-HofCD_UeI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAC_5Voq7E3nbJ5BS3JJhJ4jiPeUrENRUo7ikHDbF92y9H3omFw%40mail.gmail.com
.
For more options, visit https://groups.google.com/d/optout.


Sid Wing
“We are dreamers, shapers, singers, and makers. We study the mysteries of
laser and circuit, crystal and scanner, holographic demons and invocations
of equations. These are the tools we employ, and we know many things.” -
Elric


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7uiB9j_P-iXrUTPONe8jpT%2B6GnvK_qd4ZV1SVxfQy1QUw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7uiB9j_P-iXrUTPONe8jpT%2B6GnvK_qd4ZV1SVxfQy1QUw%40mail.gmail.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.