Turning Off Sessions for Non-https Traffic
Today I wanted to configure an application to only set secure cookies. Those are cookies that are only sent back to the server if over a secure (https) connection.
The main reason for this is to prevent session hijacking, where a bad guy might sniff the cookie values which links a user to the session “state” on the server. If they managed to do that, (which they could if the session was started on an http:// connection, then if/when the user logged on and was transferred to https://) the bad guy would still have their cookie values and thus would be able to visit the website as the logged in user. No good. You can read more on Jason Dean’s great series on security
As ColdFusion sets a new session by default upon every first visit (if you have sessionManagement turned on), you have a couple of options to mitigate session hijacking. One of these is secure cookies, ColdFusion has a few options for this (as well as httpOnly). 12Robots has a great page with code sample on how to set these up, however I wanted to take things one step further and that was to simply turn off sessionManagement if NOT over SSL. This also has the benefit of not allowing bots to clog up your server RAM with sessions that your site/application just doesn’t need.
Here is the code I used to only have session management turned on over SSL and not for traffic over port 80. Also included is the code from 12Robots to set secure and httpOnly cookies.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34