We need to ensure that all cookies on a CF7 site are set as HttpOnly.
我们需要确保CF7站点上的所有cookie都设置为HttpOnly。
We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.
我们使用jsessionid来控制我们的会话,而JRun并没有将它创建为HttpOnly。
Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.
虽然可以修改现有的cookie来添加此设置,但我们需要从一开始就将其设置为HttpOnly。
Any suggestions?
Related Question: Setting Secure flag for HTTPS cookies.
相关问题:为HTTPS cookie设置安全标志。
3 个解决方案
#1
From: http://www.petefreitag.com/item/764.cfm
Running CF 8 or Lower and using Application.cfc
运行CF 8或更低版本并使用Application.cfc
<cfcomponent>
<cfset this.sessionmanagement = true>
<cfset this.setclientcookies = false>
<cffunction name="onSessionStart">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cffunction>
<cfcomponent>
Make sure you have setclientcookies = false specified.
确保指定了setclientcookies = false。
If Using Application.cfm
如果使用Application.cfm
If you are still using an Application.cfm file, you can use the following:
如果您仍在使用Application.cfm文件,则可以使用以下命令:
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
#2
First, a warm welcome to all PCI DSS refugees! Appscan, Webinspect, Hailstorm and NTOSpider fugitives are also invited. Take a seat right over here, I have cake for you:
首先,热烈欢迎所有PCI DSS难民!还邀请了Appscan,Webinspect,Hailstorm和NTOSpider逃犯。坐在这里,我有蛋糕给你:
While too late for Peter, it is in fact possible to have JRun generate HTTPOnly (and secure) cookies from the start as he asked. Look for the jrun-web.xml file. It will probably be in a directory like
虽然Peter太迟了,但事实上可以让JRun从一开始就生成HTTPOnly(和安全)cookie。查找jrun-web.xml文件。它可能会在一个目录中
C:\JRun4\servers\servername\cfusion-ear\cfusion-war\WEB-INF\.
You have to add the following to the cookie-config section:
您必须将以下内容添加到cookie-config部分:
<cookie-config>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If your site is HTTPS, you should also enable the secure cookie option. But be careful, its server wide, not application specific. So it may not be suitable for your shared environment:
如果您的站点是HTTPS,则还应启用安全cookie选项。但要小心,它的服务器范围广,不是特定于应用程序。所以它可能不适合您的共享环境:
<cookie-config>
<cookie-secure>true</cookie-secure>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly
如果您没有卡在MX7或CF8中,CF9.01中有一个官方设置Dcoldfusion.sessioncookie.httponly
I've tested this on ColdFusion MX7 and it works as expected. Dodged Appscan I did.
我在ColdFusion MX7上进行了测试,它按预期工作。 Dodged Appscan我做了。
#3
The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.
目标是第一个请求是安全的(并通过扫描),所以如果这个帖子涵盖了它,那么它将解决问题。
Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?
如果我错了,请纠正我,但如果请求通过HTTP传入,则需要重定向到HTTPS。在将请求发送到ColdFusion之前,您是否可以使用URL重写规则来捕获它?
#1
From: http://www.petefreitag.com/item/764.cfm
Running CF 8 or Lower and using Application.cfc
运行CF 8或更低版本并使用Application.cfc
<cfcomponent>
<cfset this.sessionmanagement = true>
<cfset this.setclientcookies = false>
<cffunction name="onSessionStart">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cffunction>
<cfcomponent>
Make sure you have setclientcookies = false specified.
确保指定了setclientcookies = false。
If Using Application.cfm
如果使用Application.cfm
If you are still using an Application.cfm file, you can use the following:
如果您仍在使用Application.cfm文件,则可以使用以下命令:
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
#2
First, a warm welcome to all PCI DSS refugees! Appscan, Webinspect, Hailstorm and NTOSpider fugitives are also invited. Take a seat right over here, I have cake for you:
首先,热烈欢迎所有PCI DSS难民!还邀请了Appscan,Webinspect,Hailstorm和NTOSpider逃犯。坐在这里,我有蛋糕给你:
While too late for Peter, it is in fact possible to have JRun generate HTTPOnly (and secure) cookies from the start as he asked. Look for the jrun-web.xml file. It will probably be in a directory like
虽然Peter太迟了,但事实上可以让JRun从一开始就生成HTTPOnly(和安全)cookie。查找jrun-web.xml文件。它可能会在一个目录中
C:\JRun4\servers\servername\cfusion-ear\cfusion-war\WEB-INF\.
You have to add the following to the cookie-config section:
您必须将以下内容添加到cookie-config部分:
<cookie-config>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If your site is HTTPS, you should also enable the secure cookie option. But be careful, its server wide, not application specific. So it may not be suitable for your shared environment:
如果您的站点是HTTPS,则还应启用安全cookie选项。但要小心,它的服务器范围广,不是特定于应用程序。所以它可能不适合您的共享环境:
<cookie-config>
<cookie-secure>true</cookie-secure>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly
如果您没有卡在MX7或CF8中,CF9.01中有一个官方设置Dcoldfusion.sessioncookie.httponly
I've tested this on ColdFusion MX7 and it works as expected. Dodged Appscan I did.
我在ColdFusion MX7上进行了测试,它按预期工作。 Dodged Appscan我做了。
#3
The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.
目标是第一个请求是安全的(并通过扫描),所以如果这个帖子涵盖了它,那么它将解决问题。
Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?
如果我错了,请纠正我,但如果请求通过HTTP传入,则需要重定向到HTTPS。在将请求发送到ColdFusion之前,您是否可以使用URL重写规则来捕获它?