Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.3.0.013
    • Fix Version/s: None
    • Labels:
    • Affects:
      Compatibility/Configuration

      Description

      CF9 supports a new attribute for cfcookie called 'httponly'. A cookie set with this attribute cannot be read from Javascript which provides protection against session hijacking. It would also be desirable to support this cookie parameter when setting CFID/CFTOKEN and JSESSIONID cookies set via setClientCookies (this.setHttpOnlyCookies=true/false or perhaps this.defaultCookieParams = ['HTTPOnly','Path=/foo/']) as in feature request https://issues.jboss.org/browse/RAILO-34).

      This Pete Freitag blog post provides some background on HTTPOnly in CF9 and workarounds for older versions: http://www.petefreitag.com/item/764.cfm

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                igal-getrailo.org Igal .
                Reporter:
                SpliFF Sir SpliFF
              • Votes:
                5 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: