When a user authenticates through siteminder and reaches an application that runs on Coldfusion the CFID and CFTOKEN variables are not set , however when the application is accessed directly without siteminder authentication these variables are set and the site works fine..
Any ideas why this happens / if anyone has faced this issue?
Thanks a lot!
How are they set without SiteMinder?
You may have to tell SiteMInder to send something to ColdFusion in order to have those set
Related
I am trying to help a company who is experiencing an issue with their ColdFusion website. The issue is a PCI scan failure due to "insecure cookies with HTTPOnly/ Secure Flag attributes".
Previously I fixed this error for 3 other cookies: JSESSIONID, CFID, CFTOKEN by editing the web.xml file; however, this time the issue is apparently with a session cookie created inside of the Application.cfm.
To be specific:
<cfapplication name="testname" sessionmanagement="Yes"
loginStorage="session" CLIENTMANAGEMENT="YES"
SESSIONTIMEOUT=#CreateTimeSpan(0,0,30,0)#>
So far I have tried following the CFApplication.html from Adobe (https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html) to fix this, but have not had any luck. Any assistance or guidance is appreciated in fixing this matter. Thank you in advance!
Do you have access to the ColdFusion administrator for these sites? In the Server Settings-->Memory Variable section are universal settings for the session cookies: HTTPOnly and Secure Only. Make sure those are turned on.
In addition, do the sites use the CFCOOKIE tag. Make sure those tags are setting the 'secure' and 'httponly' attributes to TRUE.
Last, are the sites declaring COOKIE scoped vars in any CFPARAM tags/calls? If so, those will set cookies and are not secure and there is no setting I've found to make them so.
In my next.js project,I want to set cookies when user logs in. with document.cookies(something) it is setting cookies, but it is limiting to set only one cookie. If I give more than one cookie it is taking only the first element. In both cases I am not able to get cookie values in the pages.It is giving document is not defined error.I tried using
https://github.com/js-cookie/js-cookie,
with this I am able to set and get cookies,I am not able to secure my cookies. It will be great if you can solve this or suggest me some methods.
Thanks in advance.
I'd suggest using https://www.npmjs.com/package/nookies as it's kinda tricky to do manually.
You can't use the secure flag when your app is running on localhost unless you are running the application on https. To test if the secure flag is working, deploy the application on production or testing environment.
I recently moved a DNN site a level down in my IIS. Now single sign on doesn't work because the FedAuth cookie isn't being sent in the request. If I set the CookieHandler.Path property to "/" it DOES work, but I have multiple sites in the IIS so this causes some conflict.
I have made the change in relyingparties from mysite.com to mysite.com/newspot/
I have also made the httpalias change in the dnn portalalias table to point to mysite.com/newspot
Is there some other variable that I need to change for this to work? By default, the cookie's path is /newspot/ as it should be. It's just not making it into the requests.
As it turned out. The issue was the casing. mysite.com/PLACE/ is not the same as mysite.com/place/ when it comes to cookies. So it was setting the cookie's path to mysite.com/newspot/ and then trying to find the cookie at mysite.com/NEWSPOT/ when this was fixed, everything started working as expected.
I try do develop a web application with ExtJs 4.0.
On startup the application sends a request to a server. This server sends a response. The responses' header contains Set-Cookie:"connect.sid=foobar"
When I look into the preferences of my browser, I can see that the cookie was created correctly.
My problem is that somehow I cannot access this cookie in my ExtJs application and I don't know why.
I tried to retrieve it with the following methods:
document.cookie.split(";")[0]
Ext.state.Manager.get("connect.sid"); => of course I initialized the state manager with a cookie provider
Ext.util.Cookies.get("connect.sid");
No matter which method I use, I get always undefined as return value
I hope somebody can help me, because I really don't understand why it does not work.
Thanks in advance.
Finally I found the problem.
The httpOnly flag was set in the response header. Therefore the cookie was not accessible for java script.
I'm trying to implement Facebook Connect on a website with .NET MVC using C#.
I've followed the instructions here: http://wiki.developers.facebook.com/index.php/Trying_Out_Facebook_Connect step by step. I can make the login work as in that when I log in through the site I'm also logged into Facebook.
In order to work with this in the server I think I need to access the cookies Facebook is supposed to leave like:
APIKEY_user
APIKEY_session_key
...
as mentioned here http://wiki.developers.facebook.com/index.php/Verifying_The_Signature.
The thing is I'm not getting any of these cookies. I've googled and it seems like I'm the only person with this problem. Any ideas as to what I could be doing wrong ? Has this happened to anyone else ?
The issue was that I was developing locally using localhost.
I resolved the problem by changing the settings for the application to point to a certain web address instead of localhost and changing my hosts file lo point that same web address to 127.0.0.1
from the UI/client-side perspective, always insure you have the correct path indicated for the xd_receiver file in your FB.init() method.
Firecookie is very useful for seeing what Cookies are/aren't being set.