Secure Attribute on Session Cookies with Lucee on IIS
Categorized as: Tech Tips
Here is the scenario. You have an application written in the ColdFusion Markup Language (CFML) and you have the Lucee application server installed and working properly to process that CFML code. All is good. But you know that as a security best practice—and security requirement if you need to comply with things such as the Payment Card Industry Data Security Standards—you will not be able to rely on the CFID and CFTOKEN values that Lucee generates automatically and uses by default for session management. You instead want to use the JSESSIONID option that the underlying Java engine makes available. For more detail on all of this, check out Differences between ColdFusion session and J2EE session management. While that article is published on the Adobe website and references their own ColdFusion application server, the concepts presented are identical between both the Adobe ColdFusion server and the Lucee ColdFusion server.
Lucee makes using JSESSIONID for session management very simple. Just login to your Lucee administrator, and under Settings, click on Scope. On the scope page, for Session type, the default will be Application. Change that to JEE then scroll to the bottom and click the Update button to save the change as reflected in the image below.
The change in session management type will terminate your current session, but that’s ok. Just log back in to the Lucee administrator to confirm that Session type is now JEE. To further verify that the JSESSIONID is being used for session management, open your browser’s developer tools; visit a page on your website; and inspect the cookies. In Firefox this is under the Storage tab in developer tools; in Chrome it is found under the Application tab of developer tools. It could be elsewhere in other browsers so you may have to search for it depending on the browser you’re using, but it will be there somewhere. In the image below, you can see that CFID and CFTOKEN are still set, but there is also a cookie named JSESSIONID at the bottom.
The JSESSIONID cookie was not present at all prior to making the change in the Lucee administrator to use JEE as session type. By simply adopting JEE as our session type, we have improved our security posture, but astute observers will notice that there is still some work to be done in order for our website to comply with industry security standards. It’s not enough to simply make the switch to JSESSIONID, we must also make sure the Secure attribute for the cookie is set to true. Doing this in the Adobe ColdFusion administrator is trivial as there is a checkbox inside the administrator, under the Memory Variables tab of Server Settings, for doing exactly that. With Lucee we must take a different approach, but it is still quite simple once you know what to do.
With Lucee, we must edit a text file. To do this, use a text editor to open the file found at:
{lucee-root}/tomcat/conf/web.xml
Once that XML file is open, search for <session-config>. There may already be a child node inside this session-config node, and that’s ok. We just want to leave that alone and add another child node under session-config so that the entire session-config node will look something like the following:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
Save changes to web.xml and restart the Lucee service. For good measure you may wish to clear your browser of its history and existing cookies, or use an incognito window, and again visit your website. As seen in the image below, JSESSIONID now has its secure attribute set to true.
We are now using JSESSIONID as the primary means of session management, but notice that Lucee—and Adobe’s ColdFusion server does the same thing—still sets both CFID and CFTOKEN. And because the edit to web.xml described above only effects behavior of the underlying tomcat service, CFID and CFTOKEN still do not have their secure attribute set to true. Let’s fix that.
In your application.cfc file, wherever you have all the usual This.sessionmanagement settings, make sure to include the following:
<cfset This.sessioncookie.secure = true>
<cfset This.sessioncookie.httponly = true>
It should not be necessary to make any service restarts, but you may need to clear cookies in your browser, or just be sure to work in an incognito window, and go ahead and visit your website again. This time you will see that all cookies being set by Lucee have the secure attribute set to true as seen in the image below.
