Services Products About Us Case Studies Clients
Modern Signal
Modern Signal Home Page
Lighthouse on beach About Us
Offering a full range of development services: strategy, design, application programming, database development
News & Recents Projects

ColdFusion Function to set HttpOnly Cookie

It's gotten so I can't think about writing any code without fretting about security while I'm doing it.  I know, I know, that's a good thing.  Still one does long for the old days when the makers of small to medium-sized websites could get away with lax security just because the big sites had enough security holes to keep the hackers busy.  And those hackers didn't have as many automated tools to make hacking lots of sites easier.

Anyway, those days are long gone and none of us has to be labeled paranoid, because they really are out to get us.

So, on my security checklist was to start using HttpOnly cookies for potentially sensitive cookies (like those related to login).  HttpOnly cookies have been supported for a while by Internet Explorer, and Firefox has recently started supporting them.  What's good about HttpOnly cookies is that their values can not be accessed through javascript, which stops a variety of cross-site-scripting attacks.  For more info, here is a good page:

http://www.12robots.com/index.cfm/2009/1/5/mmmmMMmmmmmmm-Cookies--Security-Series-12

The problem that comes up immediately for a ColdFusion developer is that the CFCOOKIE tag does not support httponly cookies.  This seems like a gross oversite, especially since it should be very easy to implement.  In order to use httponly cookies, you need to use the CFHEADER tag to to write the specially formatted cookie header to the browser.  I looked around but couldn't find anyone online that had created a function that handled all of the functions of CFCOOKIE with the addition of httponly.  Anyway, here is what I came up with. 

<cffunction name="SetCookie" hint="Replacement for cfcookie that handles httponly cookies" output="false" returntype="void">
    <cfargument name="name" type="string" required="true">
    <cfargument name="value" type="string" required="true">
    <cfargument name="expires" type="any" default="" hint="''=session only|now|never|[date]|[number of days]">
    <cfargument name="domain" type="string" default="">
    <cfargument name="path" type="string" default="/">
    <cfargument name="secure" type="boolean" default="false">
    <cfargument name="httponly" type="boolean" default="false">
    <cfset var c = "#UCase(name)#=#value#;">
    <cfset var expDate = "">
    <cfswitch expression="#Arguments.expires#">
        <cfcase value="">
        </cfcase>
        <cfcase value="now">
            <cfset expDate = DateAdd('d',-1,Now())>
        </cfcase>
        <cfcase value="never">
            <cfset expDate = DateAdd('yyyy',30,Now())>
        </cfcase>
        <cfdefaultcase>
            <cfif IsDate(Arguments.expires)>
                <cfset expDate = Arguments.expires>
            <cfelseif IsNumeric(Arguments.expires)>
                <cfset expDate = DateAdd('d',Arguments.expires,Now())>
            </cfif>
        </cfdefaultcase>
    </cfswitch>
    <cfif IsDate(expDate) gt 0>
        <cfset expDate = DateConvert('local2Utc',expDate)>
        <cfset c = c & "expires=#DateFormat(expDate, 'ddd, dd-mmm-yyyy')# #TimeFormat(expDate, 'HH:mm:ss')# GMT;">
    </cfif>
    <cfif Len(Arguments.domain) gt 0>
        <cfset c = c & "domain=#Arguments.domain#;">
    </cfif>
    <cfif Len(Arguments.path) gt 0>
        <cfset c = c & "path=#Arguments.path#;">
    </cfif>
    <cfif Arguments.secure>
        <cfset c = c & "secure;">
    </cfif>
    <cfif Arguments.httponly>
        <cfset c = c & "httponly;">
    </cfif>
    <cfheader name="Set-Cookie" value="#c#" />
</cffunction>

It's actually pretty simple, with the expires portion of the header being the only thing that required a little work.  I have attempted to mimic the CFCOOKIE functionality so that this can be used more or less as a simple replacement for that tag.  Here's an example of usage:

<cfset SetCookie(
    name="logintoken",
    value="sometoken",
    secure=true,
    httponly=true)>

I hope this proves helpful to others.

Posted on October 8, 2009 3:13:19 PM EDT by David Hammond

Comments

Michael Kane's Globally Recognized Avatar How do you confirm that the cookie is actually being set with the HttpOnly flag?

Posted on February 18, 2010 4:43:15 PM EST by Michael Kane

David Hammond's Globally Recognized Avatar I use the Firecookie Firefox addon. It adds a pane to Firebug that gives you all the cookie info for the current page. Really great tool for debugging anything having to do with cookies.

Posted on February 18, 2010 4:48:22 PM EST by David Hammond

Topics for this page:
January 2012 --

Charm City Run updates its site to include new Baltimore location. This site-wide project included refreshing header images with photos of customers and events, expanding the site navigation to include a new resources section, and enhancing ways for customers to interact through Charm City Run's many social media channels.

Charm City Run website

October 2011 -- Society for Developmental Biology launches SDB Collaborative Resources (CoRe), an online reference database of peer-reviewed images, movies, and diagrams for learning and teaching developmental biology.
September 2011 -- Millmark launches site for ConceptLinks Inquiry, a subscription-based online curriculum targeted at earth, life, and physical science concepts for grades 2-8.
September 2011 -- The 2012 International Builders’ Show website launches, unveiling the 2012 design and new tools for highlighting community sponsorships, special show events, and featured exhibitors. The site also includes expanded interactive features for attendees and exhibitors, including polls, logistics management tools, and social media.
August 2011 -- Modern Signal awarded contract to rebrand, redesign and develop new phase of PSLawnet.org, a comprehensive directory of legal public sectors jobs postings.
Copyright 2004-2012 Modern Signal, LLC