← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279108

CAT II (Medium)

ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.

Rule ID

SV-279108r1171098_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.

Check Content

Verify Session Cookie setting "HTTPOnly".

1. From the Admin Console Landing Screen, navigate to Server Settings &gt;&gt; Memory Variables.

2. Locate the options labeled "Session Cookie Settings".

If  "HTTPOnly" setting is not enabled (checked) for session cookies, this is a finding.

Fix Text

Configure Session Cookie setting.

1. From the Admin Console Landing Screen, navigate to Server Settings &gt;&gt; Memory Variables.

2. Locate the options labeled "Session Cookie Settings".

3. Enable (check) the"HTTPOnly" option.

4. Select "Submit Changes".