ColdFusion must encrypt cookies.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Associated with: CCI-002418

SV-77001r1_rule ColdFusion must encrypt cookies.

Vulnerability discussion

Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).Transmission of session cookies is especially important since an attacker can grab the session id and hijack the already authenticated session. There are several methods to protect cookie data, and one of those methods is to encrypt the cookie. This can only be done if all the hosted sites are SSL/TLS enabled.

Check content

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Secure Cookie" is not checked, this is a finding.

Fix text

Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Secure Cookie" and select the "Submit Changes" button.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.