ColdFusion must protect Session Cookies from being read by scripts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62517	CF11-05-000199	SV-77007r1_rule		Medium

Description
A cookie can be read by client-side scripts easily if cookie properties are not set properly during preparation for transmission. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e., HTTPOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.

Description

A cookie can be read by client-side scripts easily if cookie properties are not set properly during preparation for transmission. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e., HTTPOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-63321r1_chk )
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "HTTPOnly" is unchecked, this is a finding.

Fix Text (F-68437r1_fix)
Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "HTTPOnly" and select the "Submit Changes" button.