Do I need to delete the cookie in Coldfusion when I change other session variables

Question

I have a problem with session variables in my app. To make it short, my coldfusion application is inside a dot net application using iFrame. The Main application is using dot net so user login to dot net app. Once user successfully login they can access my coldfusion app. through a link. So there is no login to my coldfusion app. (Boss does not want our users to login twice!).

To differentiate each user, the dot net app pass two url variables, url.userid and urlusergroup to my coldfusion app. Then I created session variables based on these url variables, such as session.userid and session.usergroup, to differentiate each user and their roles when they are roaming in my coldfusion app. This is how I create the sessions: in my application.cfc (ColdFusion 10) OnSessionStart I have:

 <cfset session.userid= url.userid>
 <cfset session.usergroup= url.usergroup>

If I login as user A, those two sessions are created then when I log out (through the dot net app), then login again as user B, another set of sessions are created for user B but the session variables that belong to user A still exist. This mess up everything.

To only maintain 1 set of sessions running at a time, I do the following in my index.cfm:

   <CFIF StructKeyExists(session,"userid") >
      <cfif session.usergroup NEQ URL.usergroup AND session.userid NEQ url.userid>
         <cfset sessionInvalidate() />
         <cfset session.userid = url.userid>
         <cfset session.usergroup = url.usergroup>
      </cfif>
   </CFIF

This work, I can login and log out as different users with different roles and access perfectly but one thing that I notice still stay the same is the cookie. When I cfdump var="#cookie#" I see the same jsessionid=C2AEE274A09334EB98CCB2D332D6CADA.cfusion

My question is: should I do something with the cookie? should I also make it expired and rebuilt the cookie for every new user just like what I did with their sessions? How to delete a cookie and how to rebuild one for the user?

Answer 1

Not quite the answer you are looking for, but it does seems to me that you could have a bigger problem though - are any of the URL params numeric or 'plain text'? If so any user can see the URL params being passed via the iframe, so could easily change the userid and/or the usergroup which presumably would give them access to things they shouldn't.

For example if the iframe calls: http://mycfapp.com/?userid=123&usergroup=2

Then by tampering with the params I could potentially login as a different user: http://mycfapp.com/?userid=1&usergroup=2

You need to think about securing these. You could get the .net application to call CF server-side to authenticate and get a token which you can then pass in the iframe. That way you can provide a time-sensitive token without the user ever seeing the ids being passed as simple URL params.

You could also have your .net application call CF when the user logs out to invalidate the token.

Answer 2

Expanding on what John said, you need to make two calls from your .net application.

First will be for authenticating the call from .net system. In response to that you should give back a token. You can save this token into your session or database against the userId.

Then using that token, you should allow .net application user to be able to access your ColdFusion application. You can set a timeout on that token based on user journey.