Title

ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies. (Cat II impact)

Discussion

Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.

Check Content

Verify Session Cookie setting "HTTPOnly". 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". If "HTTPOnly" setting is not enabled (checked) for session cookies, this is a finding.

Fix Text

Configure Session Cookie setting. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". 3. Enable (check) the"HTTPOnly" option. 4. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279108r1171098_rule

Vulnerability ID: V-279108

Group Title: SRG-APP-000516-AS-000237

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.