Client Variable Cookie CFGLOBALS Includes Session Ids

Published on July 14, 2011
By Pete Freitag

I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.

This means that from a security prospective you need to protect the CFGLOBALS cookie just like you would the CFIDE and CFTOKEN cookies by setting the HTTPOnly flag and possibly the secure flag.

coldfusion security cfml client variables cookies httponly

Client Variable Cookie CFGLOBALS Includes Session Ids was first published on July 14, 2011.

If you like reading about coldfusion, security, cfml, client variables, cookies, or httponly then you might also like:

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Client Variable Cookie CFGLOBALS Includes Session Ids

If you like reading about coldfusion, security, cfml, client variables, cookies, or httponly then you might also like:

CFBreak The weekly newsletter for the CFML Community

CFBreak
The weekly newsletter for the CFML Community