I was just given a security scan result for one of our web apps that showed two problems:
- Missing HttpOnly Attribute in Session Cookie
- Missing Secure Attribute in Encrypted Session (SSL) Cookie
The interesting thing is that I have both client and domain cookies set to "No" in my Application.cfm file (this is an old application that uses CF8. Maybe I don't understand the concept?
I found a piece of code that's supposed to secure cookies:
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But I get session.cfid and session.cftoken undefined errors. Before I wrack my brain on something I obviously don't get, can someone steer me in the right direction?
Thanks in advance!