Secure and HTTPOnly Cookies

James_Privett · August 8, 2017, 9:57am

Hi, Lucee seems to be setting client stat cookies that I need to make secure and HTTPOnly

CF_CLIENT_APPNAME_HC
CF_CLIENT_APPNAME_TC
CF_CLIENT_APPNAME_LV

How can I achieve this?

Thanks

Jordan_Michaels · August 11, 2017, 11:01pm

You should be able to configure this in your J2EE servlet container. In order to give you a more detailed answer we’ll need more details about your setup.

By way of example, in Tomcat, you can edit [lucee]/tomcat/conf/context.xml and change this:

<Context>

to this

<Context useHttpOnly="true">

mee_nothus · January 18, 2018, 12:33pm

This doesn’t seem to be working on the 5.2.20

<Context useHttpOnly="true"> is set

these cookies are still not set to HTTPOnly and secure

cfmitrah · February 27, 2018, 3:45pm

Hi @mee_nothus,

Can you please add like this in your application.cfc.

this.sessioncookie={httponly=false, timeout=createTimeSpan(0, 0, 0, 10), secure=true,domain=".domain.com"};

I hope this may be help for you.

Anders_Thulin · April 4, 2018, 8:25am

From what I can see the session cookies (CFID,CFTOKEN) are httponly & secure when the client cookie is not. this.sessioncookie would not change this.

A workaround solution might be to disable the client scope or store the client cookie on the server instead (in memory or db).

Jordan_Michaels · June 25, 2018, 9:48pm

The context config should change how cookies are delivered by Tomcat. In more recent versions, you may need to apply that config directly to the context config for each domain - I’m not certain.

If you’re proxying through a web server, you can configure your web server to also deliver the cookies securely. For example, in Apache you could add the following config (which requires mod_header):

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Hope this helps.

Zackster · June 26, 2018, 12:55am

You might want to consider also adding SameSite=strict if you are going down this path.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Like many things, it’s not support yet on Safari, but all the major browsers already support it

Add SameSite-attribute to cfcookie
https://luceeserver.atlassian.net/browse/LDEV-1236

please vote for the issue if you think it’s a good idea.

Zackster · September 19, 2018, 1:10pm

Twitter just posted this, they got all major browsers to support samesite, even IE11!

isapir · April 19, 2019, 4:37pm

It looks to me like the Client cookies should abide by the same secure and httpOnly settings of sessionCookie, as @cfmitrah suggested.

Does anyone know how ACF handles that?

isapir · April 19, 2019, 7:35pm

FYI: [LDEV-2247] - Lucee

isapir · April 19, 2019, 9:25pm

FYI: In Lucee 5.2.9.37 and 5.3.3.11 the Client Cookies settings are governed by this.sessionCookie, so

this.sessionCookie.secure = true;
this.sessionCookie.httpOnly = true;

Would now control the CF_CLIENT_APPNAME_XX cookies as well

Zackster · October 11, 2019, 9:38am

This doesn’t seem to be working, did i miss something?

component {
	this.sessionmanagement = "yes";
	this.sessiontimeout = createTimeSpan(0,1,0,0);			
	this.sessionCookie.secure = true;
	this.sessionCookie.httpOnly = true;			

	onRequestStart = function(){
		echo("<h1>Cookie test</h1>");
		dump(var=server.lucee.version, label="lucee version");
		dump(var=cookie, label="cookie scope");
		dump(var=cgi.http_cookie, label="cgi.http_cookie");
		abort;
	}
}

outputs the following