Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-62517 | CF11-05-000199 | SV-77007r1_rule | Medium |
Description |
---|
A cookie can be read by client-side scripts easily if cookie properties are not set properly during preparation for transmission. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e., HTTPOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. |
STIG | Date |
---|---|
Adobe ColdFusion 11 Security Technical Implementation Guide | 2016-09-21 |
Check Text ( C-63321r1_chk ) |
---|
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "HTTPOnly" is unchecked, this is a finding. |
Fix Text (F-68437r1_fix) |
---|
Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "HTTPOnly" and select the "Submit Changes" button. |