STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279106

CAT II (Medium)

ColdFusion must be configured to set the cookie settings.

Rule ID

SV-279106r1171597_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366, CCI-000381, CCI-002418, CCI-002420

Discussion

Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Persistent cookies that do not expire when the browser is closed can be exploited by attackers to gain unauthorized access to user sessions. By setting the cookie timeout to -1, ColdFusion ensures that cookies are only valid for the duration of the browser session. This means that when the user closes their browser, the session cookies are automatically deleted, reducing the risk of session hijacking and unauthorized access. In ColdFusion, administrators can configure the cookie timeout to -1 to enforce browser-session-based cookies. This setting enhances the security of the application by ensuring that user sessions are terminated when the browser is closed, thereby preventing potential security breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095, SRG-APP-000439-AS-000155, SRG-APP-000441-AS-000258

Check Content

Verify Session Cookie Settings.

From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings.

If the Cookie Timeout is not set to "-1", this is a finding.

If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions" is not checked, this is a finding.

If the "Cookie Samesite default value" is not set to "Lax" or "Strict" for a default value, this is a finding.

Fix Text

Configure Session Cookie Settings.

1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings.

2. If the Cookie Timeout is not set to -1, update the setting to -1 to ensure session cookies do not expire prematurely.

3. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is not checked, enable this setting to prevent unauthorized modification of internal cookies.

4. If the "Cookie Samesite default value" is not set to "Lax" or "Strict", configure it to one of these values to enhance security against cross-site request forgery (CSRF) attacks.

5. Select "Submit Changes".