Based on our research, we would expect the sessioncookie setting above to make both CFID and CFTOKEN cookies both Secure. When I inspect them with Chrome Dev Tools - they are httponly = yes, but the Secure flag is NOT set…
What you have should work, it is what I have and it works for me. I assume you are accessing it over HTTPS? Obviously you can’t set a secure cookie over HTTP, e.g. if you testing in a dev environment where you are not using HTTPS or something.
Thanks. Great point. Thanks so much for your response.
I do see the secure flag sometimes for my personal session. However, we are failing the PCI scan consistently. And when I use an incognito window (with https), the secure flag is missing.
I know that Application.cfm is not recommended (we need to migrate to .CFC
I guess I wanted to verify that this config works with application.cfm? And figure out what else we are missing.
Which is the same as what you have and I’ve just tested this and it is working fine. Maybe your web server is editing the cookie and removing them for some reason. What are you using for a web server?
I added this line below to httpd.conf, then restarted httpd service:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Now I am seeing the Secure flag for both CFID and CFTOKEN. I also ran an online testing tool which showed both HTTPONLY and SECURE (before - was only showing HTTPONLY, but missing secure flag).
As I’ve said before, verify and make sure the flags are not being set twice anywhere. We had that and I remember it breaking cookiie handling in Firefox.
I’m with Andreas, in suspecting there’s other code that could be overriding your app-level setting there. (The apache tweak, while it’s FORCING secure for any cookie, should not be needed and may even prove to be trouble for other reasons down the road.)
If you can easily modify the code, I’d be curious if you put a cfabort right after the cfapplication and tested again. Does it still not show the secure cookie being sent/set in your browser dev tools? (Remove the apache tweak and restart it first, of course.)
Or if you can’t mod the code, create a new folder with a blank application.cfm, copying into it that cfapplication (and any code setting vars in it). Then put a blank index.cfm and call it. What do you see? If you’ve removed the apache tweak and DO see the secure cookie headers being sent/set, then yes it was some other code in the “real” request/app that was overriding what this code was doing.
And it can be any of a number of things manipulating the cfid/cftoken, whether a cfcookie or a simple setting of cookie.cfid, etc. Those presume to apply defaults, so the default for them may be (and I’m pretty sure would be) secure=false, for ANY cookie set that way.
Let us know if this helps. Sorry for the lengthy reply, but sometimes these challenges do require more than a brief one. Indeed, I could share more but let’s see if you’ve resolved things.
Thx. I saw your note and have been thinking about this potential conflict. Do you mean: I should not be setting the flag in both Apache conf AND application.cfm?
I took your note to mean that I need to ensure the secure setting is not in https.conf twice - which it is not. Where else would I need to worry about?
Either way, I tested this config in chrome, edge and Firefox- all Pass.
Also, the third party check is now passing (failing before).
Great feedback guys. I greatly appreciate it. AND - I really need to get this right before moving to production and mucking up our SLAs.
YES - Full control over everything… I like your suggestion.
I put in the CFABORT directly under the cfapplication statement (after backing out my httpd.conf change and restarting)… It went back to a failure state (where the Secure flags are new missing when tested in an incognito window)…
Check over all the apache configuration files to make sure there isn’t anything similar to the line you added, remember it might not be in httpd.conf, it might be in a include, that is editing the cookie, so maybe do a grep for Header edit and see if there is already something else there editing the cookie. Either that or in the Tomcat configuration, but I don’t know what that would be.
Another way to find out if it’s something ELSE in Apache messing with things (as Andrew notes) would be to test your requests against CFML code running via the built-in (Tomcat) web server rather than via Apache. Have you tried that yet, again even with just some simple test code as we’ve been discussing?
Depending on how you installed Lucee, you may have a Lucee webapps/ROOT folder where you can drop in such test code, and then browser it via 8888. But there are so many different ways that people can install and configure Lucee, so if you have access to the Lucee Admin, on its overview page, the bottom section on “web contexts” will tell you both values.
If code tested that way still failed to show the use of secure cookies (for CFID/CFTOKEN), then we know the issue is either in Lucee or in Tomcat (as Andrew also proposed might be possible). Each step gets us closer to knowing the cause–and therefore a potential solution.
Something I failed to mention in our config, that I realize may be extremely relevant, is that all SSL processing is off-loaded to the AWS load balancer - which is upstream (obviously) from the prod web server cluster. So, as far as tomcat / Apache / Luce are concerned - everything runs on port 80 / http. Is this part of the puzzle?
I don’t think that matters as that is the configuration I’m using and it hasn’t affected it and I don’t think AWS ELB has any options to change the cookie headers but always worth double checking.
Unfortunately, it did not work. Still missing Secure Flag for CFID and CFTOKEN… Which seems to point to something in my Apache config as the problem (and so far, the only place I’ve round a solution).
I’m not sure how to do that because (as discussed) the entire environment is non-ssl / http. I did put in the cfabort in application.cfm - but since I can’t load :8888 securely, I think this is a false positive. Right?
Also - Dumb question at this point perhaps - but are you guys using Session Type = Application? (we are).
