ColdFusion must encrypt cookies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62511	CF11-05-000196	SV-77001r1_rule		Medium

Description
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of session cookies is especially important since an attacker can grab the session id and hijack the already authenticated session. There are several methods to protect cookie data, and one of those methods is to encrypt the cookie. This can only be done if all the hosted sites are SSL/TLS enabled.

Description

Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of session cookies is especially important since an attacker can grab the session id and hijack the already authenticated session. There are several methods to protect cookie data, and one of those methods is to encrypt the cookie. This can only be done if all the hosted sites are SSL/TLS enabled.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-63315r1_chk )
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Secure Cookie" is not checked, this is a finding.

Fix Text (F-68431r1_fix)
Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Secure Cookie" and select the "Submit Changes" button.