ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279108 | SRG-APP-000516-AS-000237 | APAS-CF-001070 | SV-279108r1171098_rule | 2025-12-19 | 1 |
Description
Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.
ℹ️ Check
Verify Session Cookie setting "HTTPOnly".
1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.
2. Locate the options labeled "Session Cookie Settings".
If "HTTPOnly" setting is not enabled (checked) for session cookies, this is a finding.
✔️ Fix
Configure Session Cookie setting.
1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.
2. Locate the options labeled "Session Cookie Settings".
3. Enable (check) the"HTTPOnly" option.
4. Select "Submit Changes".