强制HttpOnly Cookie与JRun / ColdFusion [英] Forcing HttpOnly cookies with JRun/ColdFusion
问题描述
我们需要确保CF7网站上的所有Cookie都设置为HttpOnly。
We need to ensure that all cookies on a CF7 site are set as HttpOnly.
我们使用jsessionid控制我们的会话,JRun不会将其创建为HttpOnly。
We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.
虽然可以修改现有的Cookie来添加此设置,但我们需要从头开始将其设置为HttpOnly。
Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.
有任何建议吗?
相关问题:为HTTPS Cookie设置安全标记 / p>
Related Question: Setting Secure flag for HTTPS cookies.
推荐答案
首先,热烈欢迎所有PCI DSS难民! Appscan,Webinspect,冰雹和NTOSpider逃犯也被邀请。就坐在这里,我有你的蛋糕:
First, a warm welcome to all PCI DSS refugees! Appscan, Webinspect, Hailstorm and NTOSpider fugitives are also invited. Take a seat right over here, I have cake for you:
对于彼得来说太晚了,事实上可以让JRun生成HTTPOnly(和安全的)cookie开始时他问。查找 jrun-web.xml
文件。它可能位于
While too late for Peter, it is in fact possible to have JRun generate HTTPOnly (and secure) cookies from the start as he asked. Look for the jrun-web.xml
file. It will probably be in a directory like
C:\ JRun4 \servers\servername\cfusion-ear\ffusion-war \WEB-INF \
。
您必须将以下内容添加到 cookie-config section :
You have to add the following to the cookie-config section:
<cookie-config>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
如果您的网站是HTTPS,您还应启用安全Cookie选项。但是要小心,它的服务器范围,不是应用程序特定。因此,它可能不适合您的共享环境:
If your site is HTTPS, you should also enable the secure cookie option. But be careful, its server wide, not application specific. So it may not be suitable for your shared environment:
<cookie-config>
<cookie-secure>true</cookie-secure>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
如果你没有停留在MX7或CF8,有一个官方设置 CF9.01中的此 Dcoldfusion .sessioncookie.httponly
If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly
我在ColdFusion MX7上测试过它,并且按预期工作。 Dodged Appscan我做了。
I've tested this on ColdFusion MX7 and it works as expected. Dodged Appscan I did.
这篇关于强制HttpOnly Cookie与JRun / ColdFusion的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!