Help with CFID and CFTOKEN

I have “inherited” an older Railo app - that still makes use of
Application.cfm. It now needs to pass internal security scans - and the
scans are gigging the app because CFID and CFTOKEN are not HttpOnly and are
not Secure. Are there instructions somewhere on how to make this happen?

Have you tried these ? http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/ http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/

Regards

Mark Drew

develop • deploy • deliver
http://charliemikedelta.com ttp://charliemikedelta.com> On 19 May 2015, at 14:24, Sid Wing <@Sid_Wing> wrote:

I have “inherited” an older Railo app - that still makes use of Application.cfm. It now needs to pass internal security scans - and the scans are gigging the app because CFID and CFTOKEN are not HttpOnly and are not Secure. Are there instructions somewhere on how to make this happen?


You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com mailto:lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout.

Hi Sid,

You can always set the cookies yourself, instead of having Railo do it.
In Application.cfm:

<cfapplication name=“myApp” setClientCookies=“false” sessionManagement=“true” … />

<cfif not structKeyExists(cookie, “CFID”)>



By the way, setting “secure=true” on cookies means that they are only available when the connection is secure (https/ssl).
You should also check if the current connection is secure (port 443 / cgi.https=on / etc.).

Kind regards,

Paul Klinkenberg

Mark! Thanks for that starting point - that info seems to be able to get me the ability to set CFID/CFToken as HttpOnly. However, I also need to be able to mark them as “Secure” - and pointers on that part?

Have you tried these ? http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/ http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/

Regards

Mark Drew

<cmd.png>
develop • deploy • deliver
http://charliemikedelta.com <>Op 19 mei 2015, om 15:55 heeft Sid Wing <@Sid_Wing> het volgende geschreven:
On Tue, May 19, 2015 at 8:44 AM, Mark Drew <@Mark_Drew mailto:Mark_Drew> wrote:

On 19 May 2015, at 14:24, Sid Wing <@Sid_Wing mailto:Sid_Wing> wrote:

I have “inherited” an older Railo app - that still makes use of Application.cfm. It now needs to pass internal security scans - and the scans are gigging the app because CFID and CFTOKEN are not HttpOnly and are not Secure. Are there instructions somewhere on how to make this happen?


You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com mailto:lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the Google Groups “Lucee” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/rPlwTPybjI8/unsubscribe https://groups.google.com/d/topic/lucee/rPlwTPybjI8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+unsubscribe@googlegroups.com mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com mailto:lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CB3BB145-AE00-435F-B130-5D58817C9785%40gmail.com https://groups.google.com/d/msgid/lucee/CB3BB145-AE00-435F-B130-5D58817C9785%40gmail.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout.


Sid Wing
“We are dreamers, shapers, singers, and makers. We study the mysteries of laser and circuit, crystal and scanner, holographic demons and invocations of equations. These are the tools we employ, and we know many things.” - Elric


You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com mailto:lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7u4b2wpk-1v%3DT3b2CoCi5SqNo5PWZtcYkdo8%2BXBCJO%2BkA%40mail.gmail.com https://groups.google.com/d/msgid/lucee/CAJ-%2Bs7u4b2wpk-1v%3DT3b2CoCi5SqNo5PWZtcYkdo8%2BXBCJO%2BkA%40mail.gmail.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout.

Mark! Thanks for that starting point - that info seems to be able to get
me the ability to set CFID/CFToken as HttpOnly. However, I also need to be
able to mark them as “Secure” - and pointers on that part?On Tue, May 19, 2015 at 8:44 AM, Mark Drew <@Mark_Drew> wrote:

Have you tried these ?
http://bloginblack.de/2013/11/an-update-on-httponly-marked-cookies-in-railo-4-1/

Regards

Mark Drew

develop • deploy • deliver
http://charliemikedelta.com

On 19 May 2015, at 14:24, Sid Wing <@Sid_Wing> wrote:

I have “inherited” an older Railo app - that still makes use of
Application.cfm. It now needs to pass internal security scans - and the
scans are gigging the app because CFID and CFTOKEN are not HttpOnly and are
not Secure. Are there instructions somewhere on how to make this happen?


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com
https://groups.google.com/d/msgid/lucee/eb0d1b21-2204-4501-8642-de1189bc2d82%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Lucee” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/lucee/rPlwTPybjI8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CB3BB145-AE00-435F-B130-5D58817C9785%40gmail.com
https://groups.google.com/d/msgid/lucee/CB3BB145-AE00-435F-B130-5D58817C9785%40gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


Sid Wing
“We are dreamers, shapers, singers, and makers. We study the mysteries of
laser and circuit, crystal and scanner, holographic demons and invocations
of equations. These are the tools we employ, and we know many things.” -
Elric

Mark! Thanks for that starting point - that info seems to be able to get
me the ability to set CFID/CFToken as HttpOnly. However, I also need to be
able to mark them as “Secure” - and pointers on that part?

You should be able to just add secure=“true” after httponly=“true”.On Tue, May 19, 2015 at 9:55 AM, Sid Wing <@Sid_Wing> wrote:


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner