UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must set session cookies as browser session cookies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62475 CF11-05-000169 SV-76965r1_rule Medium
Description
Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated. If an attacker is able to use an authenticated session, the attacker is given the privileges of the user who created the session. This may allow the attacker to generate user accounts for later use, change configuration settings, deploy an application or change application modules and code for already hosted applications, or see usernames for trusted relationships to other resources. It is important that each new session is given a new and unique session identifier and that old identifiers are discarded quickly. ColdFusion offers the capability to set session Cookies and all other Cookies to browser cookies. This means all cookies become invalid once the browser window is closed instead of setting a time to live to the cookie. Setting the cookies to browser cookies will ensure the session identifier is invalidated once the user ends the session through closing the browser.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-06-15

Details

Check Text ( C-63279r1_chk )
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu.

If "Cookie Timeout" is not set to -1, this is a finding.
Fix Text (F-68395r1_fix)
Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the parameter "Cookie Timeout" to -1 and select the "Submit Changes" button.