UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must encrypt cookies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62511 CF11-05-000196 SV-77001r1_rule Medium
Description
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of session cookies is especially important since an attacker can grab the session id and hijack the already authenticated session. There are several methods to protect cookie data, and one of those methods is to encrypt the cookie. This can only be done if all the hosted sites are SSL/TLS enabled.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2015-11-02

Details

Check Text ( C-63315r1_chk )
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu.

If "Secure Cookie" is not checked, this is a finding.
Fix Text (F-68431r1_fix)
Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Secure Cookie" and select the "Submit Changes" button.