Check: APAS-CF-001030
Adobe ColdFusion STIG:
APAS-CF-001030
(in version v1 r1)
Title
ColdFusion must be configured to set the cookie settings. (Cat II impact)
Discussion
Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Persistent cookies that do not expire when the browser is closed can be exploited by attackers to gain unauthorized access to user sessions. By setting the cookie timeout to -1, ColdFusion ensures that cookies are only valid for the duration of the browser session. This means that when the user closes their browser, the session cookies are automatically deleted, reducing the risk of session hijacking and unauthorized access. In ColdFusion, administrators can configure the cookie timeout to -1 to enforce browser-session-based cookies. This setting enhances the security of the application by ensuring that user sessions are terminated when the browser is closed, thereby preventing potential security breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095, SRG-APP-000439-AS-000155, SRG-APP-000441-AS-000258
Check Content
Verify Session Cookie Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. If the Cookie Timeout is not set to "-1", this is a finding. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions" is not checked, this is a finding. If the "Cookie Samesite default value" is not set to "Lax" or "Strict" for a default value, this is a finding.
Fix Text
Configure Session Cookie Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. 2. If the Cookie Timeout is not set to -1, update the setting to -1 to ensure session cookies do not expire prematurely. 3. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is not checked, enable this setting to prevent unauthorized modification of internal cookies. 4. If the "Cookie Samesite default value" is not set to "Lax" or "Strict", configure it to one of these values to enhance security against cross-site request forgery (CSRF) attacks. 5. Select "Submit Changes".
Additional Identifiers
Rule ID: SV-279106r1171597_rule
Vulnerability ID: V-279106
Group Title: SRG-APP-000516-AS-000237
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
Implement the security configuration settings. |
| CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
| CCI-002418 |
Protect the confidentiality and/or integrity of transmitted information. |
| CCI-002420 |
Maintain the confidentiality and/or integrity of information during preparation for transmission. |