Setting session cookies to have the httpOnly attribute with ColdFusion 9.0.1
For a site that falls under PCI compliance scans you will need to have session cookies that have the httpOnly attribute set. With the release of the ColdFusion 9.0.1 release it is now much easier to have your session cookies to contain the httpOnly attribute.
To start you will need to enter log into your ColdFusion Administrator and go to the Java and JVM section under server settings. In the text box containing the java arguments you will need to add the following line. This will add the httpOnly attribute to your cfid and cftoken cookies.
-Dcoldfusion.sessioncookie.httponly=true
If you use jsessionid's you will need to add the line to your jvm.config file located in your cf_root/runtime/bin folder, on Windows servers at least.
After restarting your server you should have cfid/cftoken and jsessionid cookies with the httpOnly attribute set.
On my server I also have an app running under php. A quick change to the php.in and a web server restart added the httpOnly attribute to my php session cookies. Make sure the following line is equal to true:
session.cookie_httponly = True
A great tool for quickly seeing if a sites session cookies have the httpOnly or secure attributes is the storage tab of the developer tools built into Google Chrome. You can easily check and see what attributes are set on cookies of a site you viewing.
Comments
@James - Good tip on the UDF and using Firebug to monitor cookies.
Thanks for the info. Here's a UDF that will allow you to manually create httpOnly cookies (since I don't always use CFIDE/CFTOKEN or JSessionID for my user sessions.) http://www.modernsignal.com/coldfusionhttponlycookie I use Firebug to monitor/test cookies to verify that they are httpOnly. http://getfirebug.com/