On IE 11/Edge session cookies not secure and doesn't work

Kolbenschlag_Clemens · June 8, 2016, 8:55am

Hi @all

I have a big session problem with IE (11&Edge) and Lucee 4.5.3.018, where I need your help urgently.

Following situation. If I set in Application.cfc :

THIS.setClientCookies = false;

onSessionStart {

}

Do not look for cfscript syntax, my example should only show you where I set it. I always use TAG Syntax.

Now, I would believe, that cookies are set until session gets a timeout. Right? Not right?

But on next page .cfm page the cookies are missed and session data is away.

With Firefox it works perfectly.

That is a major bug in IE, isn’t it?

As workaround I set THIS.setClientCookies=true and then session will stay alive. BUT it is not set to httponly, path and secure. NO SECURITY - So no way for our customers! They will check it.

So you see my problem. Any ideas? How get I secure cfid & cftoken in IE Browser 11/Edge?

Sers
Clemens

ddspringle · June 8, 2016, 2:30pm

Hmmm… typically you’d want to set cfid/cftoken in the onRequestStart()
method, not onSessionStart()… so I’d start by moving to onRequestStart()
and seeing if that solves the problem for you.

Second to that, script syntax for cookies is pretty straightforward:

getPageContext().getResponse().addHeader(“Set-Cookie”,
“cfid=#session.cfid#;path=/;domain=.#CGI.HTTP_HOST#;HTTPOnly;Secure”);

Third, and this is more my preference from years of getting burned by
cfid/cftoken/cflogin, etc. logic… you should roll your own session
management so you have greater control over sessions and provide a less
common attack vector for hackers. I have an example of this using fw/1 on
GitHub (GitHub - ddspringle/framework-one-secure-auth: An example fw/1 application with secure single and two-factor (2FA) authentication and session management functions). If you’re
not using fw/1 then you can still glean the basics of the process by
looking at the security.cfc controller under /admin
(framework-one-secure-auth/security.cfc at master · ddspringle/framework-one-secure-auth · GitHub)
which could be placed inside onRequestStart() in Application.cfc instead of
using fw/1 to run it for you.

Anyway, try moving your logic to onRequestStart() and test again. I’m,
frankly, a bit surprised that Lucee is forgiving enough to allow TAG syntax
inside of script… but then I gave up using tags in all but views so long
ago it never occurred to me to even try it

Hope that helps!

– Denny