Web Software Architecture and Engineering – Life on the Bleeding Edge

In the CF 9.0.1 list of What’s New and Changed, the last item listed in the “other enhancements” area is a small note that “CFID, CFTOKEN, and jsessionid are marked httpOnly”. This is a small but significant step in the right direction.
What is httpOnly mean? Well, the OWASP website has a nice explanation. Basically it means: “If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.”
In plain english, I think it means these cookies are basically read-only, meaning you can’t write something in the browser to manipulate them. The big caveat being that the browser must support the optional flag to have this functionality.
Lots of people have started posting wish lists for enhancements to CF10. Read more on Pete Freitag’s blog and Jason Dean’s as well.


Comments on: "Security Enhancement in CF 9.0.1" (7)

  1. Sami,

    Thanks for the post. This is a HUGE new feature and one that we’ve been waiting a long time for. I have heard of CF getting a bad score on security assessments because of this.

    Question: When you said “even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party”, was that meant to say that IE is more vulnerable than other browsers? Or that other browsers do not support httpOnly? Or something else?

    Interestingly, Microsoft was the security pioneer on this one. IE was the first to implement the httpOnly flag back in 2002 in IE6. It was a great idea and the other browsers followed. Now, pretty much all of the modern browsers support this flag. I think it would be pretty rare that you came across one that did not.

  2. Jason,

    Actually, I was quoting the OWASP website verbatim, those were not my words. I think the OWASP website was saying what you said, that IE was the first to support httpOnly, and that is the time the article was written – so they reference IE.

    At the bottom of the page, they have a listing of major browsers, and from what versions they support httpOnly. Looks like pretty broad support indeed!

  3. Just curious if anyone has found that the cfid, cftoken, and jsessionid do have the httpOnly attribute after this update. My security scan still showed them as not having the attribute after applying the 9.0.1 upgrade. Is there something else I need to do to enable this behavior?

  4. John,

    I haven’t tested myself, but it should after the upgrade. As far as I know, there is no enabling or disabling of this necessary.

  5. Actually, it does need to be enabled. It is outlined in the release notes.

    You need to pass in the following JVM arg in the CF Admin


    My understanding is that this is for the CFID/CFToken support. If you want httpOnly support for JRun, you need to add the property to jvm.config.

    For other servlet containers, you need to use their specific implementation, which was possible before CF9.

    Notes can be found here: http://www.adobe.com/support/documentation/en/coldfusion/901/cf901features.pdf

  6. @Jason – Thanks for the info on enabling it. I found the info about adding it to the jvm.config but missed the part about adding it in the admin. I made the wrong assumption that it would default to being on for CFID/CFTOKEN. Thanks again!

  7. That’s odd. The info I have is that those settings were pre-901. I’ll double check, but I’m sure you are right.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: