ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279108 | APAS-CF-001070 | SV-279108r1171098_rule | CCI-000366 | medium |
| Description | ||||
| Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information. | ||||
| STIG | Date | |||
| Adobe ColdFusion Security Technical Implementation Guide | 2025-12-19 | |||
Details
Check Text (C-279108r1171098_chk)
Verify Session Cookie setting "HTTPOnly".
1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.
2. Locate the options labeled "Session Cookie Settings".
If "HTTPOnly" setting is not enabled (checked) for session cookies, this is a finding.
Fix Text (F-83561r1171097_fix)
Configure Session Cookie setting.
1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.
2. Locate the options labeled "Session Cookie Settings".
3. Enable (check) the"HTTPOnly" option.
4. Select "Submit Changes".