OpenControls Logo

STIG Viewer

ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-279108APAS-CF-001070SV-279108r1171098_ruleCCI-000366medium
Description
Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.
STIGDate
Adobe ColdFusion Security Technical Implementation Guide2025-12-19

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
CM-6
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
  • DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-279108r1171098_chk)

Verify Session Cookie setting "HTTPOnly". 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". If "HTTPOnly" setting is not enabled (checked) for session cookies, this is a finding.

Fix Text (F-83561r1171097_fix)

Configure Session Cookie setting. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". 3. Enable (check) the"HTTPOnly" option. 4. Select "Submit Changes".