coldfusioncoldfusion-9cookie-httponlycoldfusion-2018

Could not disable HttpOnly flag in browser via ColdFusion

In our application, we use J2EE session variables for session management. We recently migrated from ColdFusion 9 to ColdFusion 2018. After migration, the logout functionality is not working. What we found is that, in ColdFusion 2018, the cookie JSESSIONID is not getting cleared from the browser because the HttpOnly flag has been set to true in the browser.

We tried to disable this HttpOnly flag in the browser in following ways,

By disabling HttpOnly flag and Global Script Protection in CF admin.
By modifying the jvm.config via CF admin by adding "-Dcoldfusion.sessioncookie.httponly=false".

But this way the HttpOnly flag is still showing as enabled in the browser. Because of this, the client-side script is not able to clear the cookie JSESSIONID and hence logout functionality is not working.

Is there any way, in CF2018, to disable the HttpOnly flag in the browser for the cookie JSESSIONID?.

Note:

In CF9, the HttpOnly flag is disabled in the browser for the cookie JSESSIONID. We use the CF2018 enterprise edition (Trial Version, not yet expired). Restarted CF services after updating the settings in CF admin.

Solution

  • You'll likely have to refactor your application to address a number of OWASP vulnerabilities that could not be handled by CF 9 out of the box. Depending on your audience, you should get a 3rd party to perform a security penetration test against your code base.

    You're going to need to refactor your log out process. You shouldn't disable httpOnly on the jsessionid cookie, it's a prevention against Cross-Site Scripting attacks.

    https://www.owasp.org/index.php/HttpOnly

    According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

    https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN

    When using JEE session IDs, you need to add this to part of your logout process: 

    <cfset getPageContext().getSession().invalidate()>

    Then redirect to another page like your login screen. This will delete the jsessionid cookie and actually invalidate the JEE session on the server.