ColdFusion must set session cookies as browser session cookies.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62475 | CF11-05-000169 | SV-76965r1_rule | Medium |
| Description |
|---|
| Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated. If an attacker is able to use an authenticated session, the attacker is given the privileges of the user who created the session. This may allow the attacker to generate user accounts for later use, change configuration settings, deploy an application or change application modules and code for already hosted applications, or see usernames for trusted relationships to other resources. It is important that each new session is given a new and unique session identifier and that old identifiers are discarded quickly. ColdFusion offers the capability to set session Cookies and all other Cookies to browser cookies. This means all cookies become invalid once the browser window is closed instead of setting a time to live to the cookie. Setting the cookies to browser cookies will ensure the session identifier is invalidated once the user ends the session through closing the browser. |
| STIG | Date |
|---|---|
| Adobe ColdFusion 11 Security Technical Implementation Guide | 2017-12-31 |
Details
| Check Text ( C-63279r1_chk ) |
|---|
| Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Cookie Timeout" is not set to -1, this is a finding. |
| Fix Text (F-68395r1_fix) |
|---|
| Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the parameter "Cookie Timeout" to -1 and select the "Submit Changes" button. |