ColdFusion must be configured to set the cookie settings.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279106	SRG-APP-000516-AS-000237	APAS-CF-001030	SV-279106r1171597_rule	2025-12-19	1

Description
Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Persistent cookies that do not expire when the browser is closed can be exploited by attackers to gain unauthorized access to user sessions. By setting the cookie timeout to -1, ColdFusion ensures that cookies are only valid for the duration of the browser session. This means that when the user closes their browser, the session cookies are automatically deleted, reducing the risk of session hijacking and unauthorized access. In ColdFusion, administrators can configure the cookie timeout to -1 to enforce browser-session-based cookies. This setting enhances the security of the application by ensuring that user sessions are terminated when the browser is closed, thereby preventing potential security breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095, SRG-APP-000439-AS-000155, SRG-APP-000441-AS-000258

Description

Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Persistent cookies that do not expire when the browser is closed can be exploited by attackers to gain unauthorized access to user sessions. By setting the cookie timeout to -1, ColdFusion ensures that cookies are only valid for the duration of the browser session. This means that when the user closes their browser, the session cookies are automatically deleted, reducing the risk of session hijacking and unauthorized access. In ColdFusion, administrators can configure the cookie timeout to -1 to enforce browser-session-based cookies. This setting enhances the security of the application by ensuring that user sessions are terminated when the browser is closed, thereby preventing potential security breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095, SRG-APP-000439-AS-000155, SRG-APP-000441-AS-000258

ℹ️ Check
Verify Session Cookie Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. If the Cookie Timeout is not set to "-1", this is a finding. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions" is not checked, this is a finding. If the "Cookie Samesite default value" is not set to "Lax" or "Strict" for a default value, this is a finding.

ℹ️ Check

Verify Session Cookie Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. If the Cookie Timeout is not set to "-1", this is a finding. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions" is not checked, this is a finding. If the "Cookie Samesite default value" is not set to "Lax" or "Strict" for a default value, this is a finding.

✔️ Fix
Configure Session Cookie Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. 2. If the Cookie Timeout is not set to -1, update the setting to -1 to ensure session cookies do not expire prematurely. 3. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is not checked, enable this setting to prevent unauthorized modification of internal cookies. 4. If the "Cookie Samesite default value" is not set to "Lax" or "Strict", configure it to one of these values to enhance security against cross-site request forgery (CSRF) attacks. 5. Select "Submit Changes".

✔️ Fix

Configure Session Cookie Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. 2. If the Cookie Timeout is not set to -1, update the setting to -1 to ensure session cookies do not expire prematurely. 3. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is not checked, enable this setting to prevent unauthorized modification of internal cookies. 4. If the "Cookie Samesite default value" is not set to "Lax" or "Strict", configure it to one of these values to enhance security against cross-site request forgery (CSRF) attacks. 5. Select "Submit Changes".