This question already has answers here:
How do I secure CFID for PCI compliance?
(2 answers)
Closed 8 years ago.
I inherited a website that uses ColdFusion 9.0.2. A scanner reports a predictable cookie session ID. The fix for this is supposedly to check off "Use UUID for cftoken". This is already checked but it is still reported as an issue. Has anyone run into this? Does anyone know how to resolve this in the CFADMIN or in CF code?
What your scanner was complaining would most likely be CFID, not CFTOKEN.
See: How do I secure CFID for PCI compliance?
My suggestion is to set session management to use jsessionid.
http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24-7c48.html
As an added bonus, you can serialize session data when you use jsessionid. That may or may not matter to you, but your basic problem should be solved by switching to J2EE sessions in the ColdFusion Administrator.
You might also want to consider moving to ColdFusion 10 or Railo to take advantage of HTTPOnly cookies, which are not readable using Javascript, using the secure flag on cookies, and using SessionRotate() after login to prevent session fixation.
http://www.adobe.com/devnet/coldfusion/articles/security-improvements.html
Pete Freitag's blog reminded me that CF 9.01 and later have a flag that can be set to use HTTPOnly session cookies using java args, or you can use setClientCookies = false. As #Henry pointed out, you will need to do one of those things to get rid of CFID and CFToken creation:
http://www.petefreitag.com/item/764.cfm
Related
I am trying to help a company who is experiencing an issue with their ColdFusion website. The issue is a PCI scan failure due to "insecure cookies with HTTPOnly/ Secure Flag attributes".
Previously I fixed this error for 3 other cookies: JSESSIONID, CFID, CFTOKEN by editing the web.xml file; however, this time the issue is apparently with a session cookie created inside of the Application.cfm.
To be specific:
<cfapplication name="testname" sessionmanagement="Yes"
loginStorage="session" CLIENTMANAGEMENT="YES"
SESSIONTIMEOUT=#CreateTimeSpan(0,0,30,0)#>
So far I have tried following the CFApplication.html from Adobe (https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html) to fix this, but have not had any luck. Any assistance or guidance is appreciated in fixing this matter. Thank you in advance!
Do you have access to the ColdFusion administrator for these sites? In the Server Settings-->Memory Variable section are universal settings for the session cookies: HTTPOnly and Secure Only. Make sure those are turned on.
In addition, do the sites use the CFCOOKIE tag. Make sure those tags are setting the 'secure' and 'httponly' attributes to TRUE.
Last, are the sites declaring COOKIE scoped vars in any CFPARAM tags/calls? If so, those will set cookies and are not secure and there is no setting I've found to make them so.
I have jupyterhub(TLJH) running on my AWS. It is served on my site using an iframe. Since the latest chrome update, the "SameSite" cookie attribute is causing the following issue. The below image shows what I see in the Iframe
Given below is the warning I get in my console:
A cookie associated with a cross-site resource at http://www._____.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
When I disable the SameSite attribute in chrome://flags/, the iframe loads perfect.
I understand that I need to edit my cookie settings to add {SameSite=None; Secure} somewhere in jupyterhub, but I don't know where.
It looks to me as if you may be able to use the cookie_options setting to add SameSite=None; Secure to the cookies, but I am not 100% sure.
I've raised https://github.com/jupyterhub/jupyterhub/issues/3117 to ask the team to validate.
I could make it work only by making my server map to a subdomain. For example, say the main website which has the Iframe embed is www.mydomain.com, I had to map my Jupyter server to "subdomain.mydomain.com" to make it work.
It is obvious that the above approach was possible because the page I was trying to embed was owned by me. Hoping for an answer for the other scenario!
You can use jupyterhub proxy give your server a domain name like "http:***.mydomain.com" .But this must be subdomain of your site("http://www._____.com/")
In my next.js project,I want to set cookies when user logs in. with document.cookies(something) it is setting cookies, but it is limiting to set only one cookie. If I give more than one cookie it is taking only the first element. In both cases I am not able to get cookie values in the pages.It is giving document is not defined error.I tried using
https://github.com/js-cookie/js-cookie,
with this I am able to set and get cookies,I am not able to secure my cookies. It will be great if you can solve this or suggest me some methods.
Thanks in advance.
I'd suggest using https://www.npmjs.com/package/nookies as it's kinda tricky to do manually.
You can't use the secure flag when your app is running on localhost unless you are running the application on https. To test if the secure flag is working, deploy the application on production or testing environment.
My Durandal SPA app performs BASIC authentication to acquire a session token which it then presents in headers to access Web API controller methods. This works fine.
On successful authentication I cache the access_token in localStorage so I can re-acquire it from local storage to preserve the session in the event of browser closure or refresh. The token is re-acquired but it is rejected by the server with an Unauthorized message.
This question starts by saying that the OP has successfully done what I am trying to do, so it's certainly possible, but the code he shows is a sample of (unsuccessfully) trying to do cookie mapping and I can't divine the nature of my problem from it.
One of the answers to this question says
Fortunately, WIF has a way to mitigate [replay attacks]. By configuring:
<identityConfiguration>
.......
<tokenReplayDetection enabled="true" />
.....
</identityConfiguration>
I do in fact have WIF installed on my development workstation, but I wouldn't know where to start looking for this setting. A search of my HDD found "tokenReplayDetection" in 17 System.IdentityModel related DLLs, but not in any config files.
Does anyone think this is in fact the problem and if so where does it live? Any other thoughts also gratefully received.
I am migrating websites from a server using CF 8 to a new one using CF 10. In this one site, I have a query that looks up talent and then writes the resulting list to a cfcookie. On my computer with any browser it works correctly. My client uses the same browser as I normally use (Safari) and his browser is not updating the cfcookie with the new talent list after a search. They are very unhappy making me unhappy also. Any ideas as to what might be causing this problem.
In the application.cfm (yes, I know I should be updating to cfc but not enough hours in the day):
<CFAPPLICATION NAME="lil"
CLIENTMANAGEMENT="yes"
SESSIONMANAGEMENT="yes"
SESSIONTIMEOUT=" #createTimeSpan(0,0,30,0)#"
APPLICATIONTIMEOUT=" #createTimeSpan(0,1,0,0)#"
clientstorage="cookie">
Setting the cfcookie:
<cfif isdefined('getTalent.recordcount') and getTalent.recordcount gt 0>
<cfcookie name="tSearch" value="#valueList(getTalent.talentID)#" httponly="true" expires="1">
</cfif>
How large is the amount of data you are storing in the cookie, and could the client be storing more than you are? Are they possibly using a cookie-blocking security app of some kind?
In a bigger-picture kind of mindset, if the user is doing a search and getting results, rather than storing the results in a cookie, why not use either a session-scoped variable, or simply use the CF identity cookies already in place to store their results in a temporary database location? Cookie issues can be harder to track down, but unless you're not managing sessions in your Application.cfc or cfapplication tag, each user is already getting a unique ID which you can leverage server-side for this type of thing.
One last thought... are you doing any sort of CFLOCATION redirect, after attempting to store the cookie? Redirecting can cause CFCOOKIE commands to not be honored, because in essence the user's browser is redirected before it receives the response.