Secure CFCOOKIE Security Consideration

Last night I gave a presentation to my local Philly CFUG, part of which covered the creation of cookies from ColdFusion. In the course of presenting I "discovered" that it is possible to set secure cookies in response to a non-secure request.

<cfcookie name="mycookie" value="yum" secure="true"/>

Now, the browser will not send that cookie on subsequent requests if you are not using a secure connection, however, if the cookie was set on a non-secure page the value of that cookie has already been exposed to potential hijacking.

The Lesson Learned

If you are using cfcookie with the secure attribute, make sure you are doing so over a secure connection or you may be leaving yourself vulnerable to cookie hijacking.

BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.