I am trying to set my cookie CFIDE and CFTOKEN to be HTTPOnly in Coldfusion 9...
Here is what I have tried (didn't error but didn't work):
cookie.CFID = "#session.cfid#,httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#,httpOnly='true'";
I also tried (no go...and no error):
cookie.CFID = "#session.cfid#;httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#;httpOnly='true'";
And this (which I think only works in CF10):
cookie.CFID = {value="#session.cfid#", httpOnly="true"};
cookie.CFTOKEN = {value="#session.cftoken#", httpOnly="true"};
Then this (didn't error but didn't work):
cookie( name="CFID" value="#session.cfid#" httpOnly="true" );
cookie( name="CFTOKEN" value="#session.cftoken#" httpOnly="true" );
When I run these I do a empty cache hard reload in Chrome. When the page reloads I should see the Resources Cookies HTTPOnly column show check boxes.
I'm probably exhausted and could have hit the right combo of things above and I got a false positive on failure from jumping around too much. Sometimes cached things get the best of me.
I have the CFML container style that works but my Application.cfc is all script style and I want to keep it that way...So how do I do this script style in Coldfusion 9?
Update for my fix:
I used the getPageContex() below, but it didn't work as it was. Also onSessionStart() event handler changed to create the session.CFID and session.CFTOKEN with the CreateUUID() which is also new in my Application.cfc file. So for posterity here is what that block of code looks like.
function onSessionStart(){
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
}
Another Note: For some reason if the session is cleared and the onsessionstart() handler is requested this set cookie stuff above will fail. There has to be a try catch block or exception handling of some sort added to account for a reload problem. The best thing is to upgrade to a patched up release of Coldfusion 10 (or soon to be released CF 11).
You can use the PageContext object to set cookies in cfscript:
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
For session cookies, there's an easier way.
Enabling server-wide HttpOnly session cookies
The ColdFusion 9.0.1 update added a server-wide setting to add the
httponly attribute to all session cookies created by ColdFusion (such
as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To
enable this setting, if you are running a JRun J2EE installation or
multi-server installation, you must edit jvm.config, otherwise you can
enable this setting from the CF Administrator. If you are running a
J2EE server other than JRun consult your documentation for an
appropriate setting. J2EE servers that support the Servlet 3.0
specification can specify
true
in the /WEB-INF/web.xml file.
http://www.adobe.com/devnet/coldfusion/articles/coldfusion-securing-apps.html
You can use this code in your application.cfc inside of the onsessionstart function.
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">
There is no way of setting this inside of cfscripts. cfcookie is not supported in script form in cf9. There are flags in the application settings added to CF10 to address this issue, however, CF11 will have full support for it inside of scripts. Unfortunately, I think you will have to forego the uniform code for functionality. Unless you have access to your CFIDE/Administrator. You can add a java argument to turn it on server wide. Add this to your JVM config
-Dcoldfusion.sessioncookie.httponly=true
All of this is detailed here http://www.petefreitag.com/item/764.cfm
Related
I am trying to help a company who is experiencing an issue with their ColdFusion website. The issue is a PCI scan failure due to "insecure cookies with HTTPOnly/ Secure Flag attributes".
Previously I fixed this error for 3 other cookies: JSESSIONID, CFID, CFTOKEN by editing the web.xml file; however, this time the issue is apparently with a session cookie created inside of the Application.cfm.
To be specific:
<cfapplication name="testname" sessionmanagement="Yes"
loginStorage="session" CLIENTMANAGEMENT="YES"
SESSIONTIMEOUT=#CreateTimeSpan(0,0,30,0)#>
So far I have tried following the CFApplication.html from Adobe (https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html) to fix this, but have not had any luck. Any assistance or guidance is appreciated in fixing this matter. Thank you in advance!
Do you have access to the ColdFusion administrator for these sites? In the Server Settings-->Memory Variable section are universal settings for the session cookies: HTTPOnly and Secure Only. Make sure those are turned on.
In addition, do the sites use the CFCOOKIE tag. Make sure those tags are setting the 'secure' and 'httponly' attributes to TRUE.
Last, are the sites declaring COOKIE scoped vars in any CFPARAM tags/calls? If so, those will set cookies and are not secure and there is no setting I've found to make them so.
I have jupyterhub(TLJH) running on my AWS. It is served on my site using an iframe. Since the latest chrome update, the "SameSite" cookie attribute is causing the following issue. The below image shows what I see in the Iframe
Given below is the warning I get in my console:
A cookie associated with a cross-site resource at http://www._____.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
When I disable the SameSite attribute in chrome://flags/, the iframe loads perfect.
I understand that I need to edit my cookie settings to add {SameSite=None; Secure} somewhere in jupyterhub, but I don't know where.
It looks to me as if you may be able to use the cookie_options setting to add SameSite=None; Secure to the cookies, but I am not 100% sure.
I've raised https://github.com/jupyterhub/jupyterhub/issues/3117 to ask the team to validate.
I could make it work only by making my server map to a subdomain. For example, say the main website which has the Iframe embed is www.mydomain.com, I had to map my Jupyter server to "subdomain.mydomain.com" to make it work.
It is obvious that the above approach was possible because the page I was trying to embed was owned by me. Hoping for an answer for the other scenario!
You can use jupyterhub proxy give your server a domain name like "http:***.mydomain.com" .But this must be subdomain of your site("http://www._____.com/")
I'm building a test in Jmeter and have hit a seemingly trivial problem, but I cannot find a way to overcome it.
I need to start a new session each time the test runs (I'm building in the GUI). I thought that setting the HTTP cookie manager in the Thread Group with the 'Clear cookies on each iteration' setting checked would clear the cookies on each new run of the test.
It doesn't seem to work however - when running a test for the second time the user session initiated in the previous run is still there.
In fact I am now getting a 494 server error (Cookie too large) because the cookies are accruing in size with each run of the test.
Any ideas on how to clear the cookies with each new run of the test?
As per your comment, issue was related to environment and not JMeter.
Most probably Cookies we stacking up due to some infinite redirection or similar environment problem.
If you face any issue with Cookie Manager, refer to reference documentation.
I doubt this is a JMeter problem, most likely you're receiving an incorrect cookie via Set-Cookie header from the system under test.
You can troubleshoot this issue by enabling extra logging for JMeter's HTTP Cookie manager, this can be done by adding the next line to log4j2.xml file (lives in "bin" folder of your JMeter installation)
<Logger name="org.apache.jmeter.protocol.http.control.CookieManager" level="debug" />
JMeter restart will be required to pick up the changes
Also be aware that you can manually remove all stored cookies in an arbitrary place of your script
Add JSR223 PreProcessor as a child of the HTTP Request sampler
Put the following code into "Script" area:
sampler.getCookieManager().clear()
I updated a test server from ColdFusion 10 to ColdFusion 11 30 days Enterprise trail edition with update 7.
However, every time I hit refresh in my browsers, I get a new cfid.
As a result, a valid session is not found so the login page doesn't work.
I checked the session in coldfusion admin page and my cookie in my browsers, they are both created correctly.
This is what I have in my application.cfm
<CFAPPLICATION NAME="TESTWEB"
CLIENTMANAGEMENT="Yes"
SETCLIENTCOOKIES="Yes"
SESSIONMANAGEMENT="Yes"
SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"
SETDOMAINCOOKIES = "No">
However, when I open the page from the host computer, then the cfid doesn't get change everytime I hit refresh, so everything works.
Any idea what can cause my problem?
EDIT:
During login, I had code that set cfid/cftoken to cookie, but since I changed to SETCLIENTCOOKIES="Yes", I removed those code. The only other place would be in logout.
I am not using jsessionids, only coldFusion session id.
Timeout for all session variables is 7 days.
I have switched to using JEE session by enabling it in the ColdFusion admin. My session is now working.
I know this is an old question, but I'll leave this here to help others in case they've tried everything mentioned above and are still having issues.
Check your Cookie Samesite value.
If you've upgrading old apps to newer CF servers, to prevent Coldfusion from changing CFID and CFTOKEN on refresh or when you make an AJAX call referencing sessions or cookie variables - along with all the recommended settings stated by others above, check to following:
To set Cookie Samesite value at server level for CF 2016, 2018:
In the Coldfusion Admin Settings, Server Settings > Memory Variables > Session Cookie Settings, Set the "Cookie Samesite default value" to "-" or "LAX" (LAX is default value when NULL)
To set Cookie Samesite value at site level: For ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15
You may use the cfcookie tag.
For those on CF11 or older CF versions, you may set your response headers in IIS or Apache. I am assuming people with this issue (cfid and cftoken changing on refresh) is because they made a change to the samesite attribute and broke something. In that case, review how you've implemented SameSite Cookies and what you set that value to.
SameSite Cookies with IIS
SameSite cookies with Apache
We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin.
I don't really know why the CFID being predictable is a threat, but they want us to fix it.
I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do.
Has anyone else dealt with something like this? Any suggestions?
EDIT:Here is what my Application.cfc file looks like:
<cfcomponent output="false">
<cfset this.name="DatabaseOnline">
<cfset this.sessionManagement=true>
<cfset this.setDomainCookies=true>
<cfset this.setClientCookies=true>
<cfset this.sessionTimeOut=#CreateTimeSpan(0,20,0,0)#>
</cfcomponent>
And my CF admin looks like this: http://i.imgur.com/k9OZH.png
So how do I disable CFID?
Using J2EE session variables should address that problem.
To do that go to CF Administrator. Server Settings --> Memory Variables and check the 'Use J2EE session variables' check box.
You can find some more information here http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html
Explain to the scanning agent that the CFID is sequential, but is not valid without a corresponding CFTOKEN cookie which is randomized. Since the session cannot be hijacked with the ID alone, it mitigates the reason for the scan failure. Their automated test assumes that the CFID cookie controls the session on its own, which is not the case. Every scanning vendor that I've worked with has accepted this as a mitigating factor and either disabled or overridden that specific test for me on CF-based sites.
Alternately, if none of the sites on the CF server use session variables, you can disable session management entirely and CF won't issue the cookies at all. If they are needed, the above explanation of how CF sessions are managed should get you through.