Remember to Encrypt those CF Cookies

It seems you can never do enough to protect your website. One pointer I thought I'd mention is to remember to not use the default ColdFusion sessions when possible as they do not encrypt session cookies on the client. You can easily change this in the administrator to use UUID for cftoken cookies under the settings page.

But you can do yourself a bigger favor and use J2EE Sessions just as easily by simply checking the box under the Session Management section. At this point you should now see a new cookie being set by ColdFusion called jsessionid, and it should be a nice encrypted string.

Finally, if you need to hide the other cookies (cfid and cftoken) for whatever purpose for compliances or whatnot(maybe you need PCI compliance) you will need to go into your application.cfc or application.cfm file and change:

  • this.clientManagement = false
  • this.setClientCookies = false

You should be able to continue using session as normal and you should only see one cookie generated by ColdFusion, jsessionid. Any other cookies you set yourself will still work properly as well.

This should be on your checklist of things to do for any websites with logins or sensitive data. Also it never hurts to check your non ColdFusion applications as well to make sure they are using encrypted cookie session id's! Here is a link to a few very quick things you can do to help protect your site: