Secure and HTTPOnly Cookies


#1

Hi, Lucee seems to be setting client stat cookies that I need to make secure and HTTPOnly

CF_CLIENT_APPNAME_HC
CF_CLIENT_APPNAME_TC
CF_CLIENT_APPNAME_LV

How can I achieve this?

Thanks


#2

You should be able to configure this in your J2EE servlet container. In order to give you a more detailed answer we’ll need more details about your setup.

By way of example, in Tomcat, you can edit [lucee]/tomcat/conf/context.xml and change this:

<Context>

to this

<Context useHttpOnly="true">

#3

This doesn’t seem to be working on the 5.2.20

<Context useHttpOnly="true"> is set

these cookies are still not set to HTTPOnly and secure


#4

Hi @mee_nothus,

Can you please add like this in your application.cfc.

this.sessioncookie={httponly=false, timeout=createTimeSpan(0, 0, 0, 10), secure=true,domain=".domain.com"};

I hope this may be help for you.


#5

From what I can see the session cookies (CFID,CFTOKEN) are httponly & secure when the client cookie is not. this.sessioncookie would not change this.
A workaround solution might be to disable the client scope or store the client cookie on the server instead (in memory or db).


#6

The context config should change how cookies are delivered by Tomcat. In more recent versions, you may need to apply that config directly to the context config for each domain - I’m not certain.

If you’re proxying through a web server, you can configure your web server to also deliver the cookies securely. For example, in Apache you could add the following config (which requires mod_header):

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Hope this helps.


#7

You might want to consider also adding SameSite=strict if you are going down this path.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Like many things, it’s not support yet on Safari, but all the major browsers already support it

Add SameSite-attribute to cfcookie
https://luceeserver.atlassian.net/browse/LDEV-1236

please vote for the issue if you think it’s a good idea.