ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279108	SRG-APP-000516-AS-000237	APAS-CF-001070	SV-279108r1171098_rule	2025-12-19	1

Description
Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.

Description

Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.

ℹ️ Check
Verify Session Cookie setting "HTTPOnly". 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". If "HTTPOnly" setting is not enabled (checked) for session cookies, this is a finding.

✔️ Fix
Configure Session Cookie setting. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". 3. Enable (check) the"HTTPOnly" option. 4. Select "Submit Changes".