It's gotten so I can't think about writing any code without fretting about security while I'm doing it. I know, I know, that's a good thing. Still one does long for the old days when the makers of small to medium-sized websites could get away with lax security just because the big sites had enough security holes to keep the hackers busy. And those hackers didn't have as many automated tools to make hacking lots of sites easier.
Anyway, those days are long gone and none of us has to be labeled paranoid, because they really are out to get us.
The problem that comes up immediately for a ColdFusion developer is that the CFCOOKIE tag does not support httponly cookies. This seems like a gross oversite, especially since it should be very easy to implement. In order to use httponly cookies, you need to use the CFHEADER tag to to write the specially formatted cookie header to the browser. I looked around but couldn't find anyone online that had created a function that handled all of the functions of CFCOOKIE with the addition of httponly. Anyway, here is what I came up with.
<cffunction name="SetCookie" hint="Replacement for cfcookie that handles httponly cookies" output="false" returntype="void">
<cfargument name="name" type="string" required="true">
<cfargument name="value" type="string" required="true">
<cfargument name="expires" type="any" default="" hint="''=session only|now|never|[date]|[number of days]">
<cfargument name="domain" type="string" default="">
<cfargument name="path" type="string" default="/">
<cfargument name="secure" type="boolean" default="false">
<cfargument name="httponly" type="boolean" default="false">
<cfset var c = "#UCase(name)#=#value#;">
<cfset var expDate = "">
<cfset expDate = DateAdd('d',-1,Now())>
<cfset expDate = DateAdd('yyyy',30,Now())>
<cfset expDate = Arguments.expires>
<cfset expDate = DateAdd('d',Arguments.expires,Now())>
<cfif IsDate(expDate) gt 0>
<cfset expDate = DateConvert('local2Utc',expDate)>
<cfset c = c & "expires=#DateFormat(expDate, 'ddd, dd-mmm-yyyy')# #TimeFormat(expDate, 'HH:mm:ss')# GMT;">
<cfif Len(Arguments.domain) gt 0>
<cfset c = c & "domain=#Arguments.domain#;">
<cfif Len(Arguments.path) gt 0>
<cfset c = c & "path=#Arguments.path#;">
<cfset c = c & "secure;">
<cfset c = c & "httponly;">
<cfheader name="Set-Cookie" value="#c#" />
It's actually pretty simple, with the expires portion of the header being the only thing that required a little work. I have attempted to mimic the CFCOOKIE functionality so that this can be used more or less as a simple replacement for that tag. Here's an example of usage:
I hope this proves helpful to others.
Posted on October 8, 2009 3:13:19 PM EDT by David Hammond
I felt as if my company was their only client. They responded to my needs quickly and efficiently despite short turn around time and intense demands.
Modern Signal significantly enhanced our site to be more efficient and user-friendly. They provide excellent customer service with timely and cost-effective solutions.
This was by far the smoothest website redevelopment I have ever experienced. Modern Signal was a wonderful company to work with and we greatly value our working relationship.
Modern Signal has been a great partner for us for over the past 10 years. As our business grew and our needs changed, Modern Signal was able to work with us to adjust our website platform in the ever-changing online world. Their service and response level has been second to none, and we've been never been happier with our relationship with them.
We wouldn’t have gotten where we are today without your support over the years. Modern Signal has always been a great partner to us.
I love working with Modern Signal! Their CMS is very easy to use and they are incredibly responsive to questions or challenges I bring them.
Modern Signal understands our business - from future needs to current limitations - so their solutions are always scalable, solid, and service-oriented.
Modern Signal worked with us to understand our needs and figure out what solution would work best for us. Our Lighthouse CMS is perfectly suited to our website goals. When we later needed to modify the CMS, they again took the time to understand exactly what was needed and then built that functionality rather than delivering a cookie cutter solution.
Modern Signal has a professional staff that was very responsive to our needs during all phases - scoping, developing, implementing and maintaining - of our project. We have been pleased with their ability to deliver quality work on time and on budget. If given the opportunity, I would work with them again.