CF11 is prepending the values of these cookies with what looks to be a hash of the application name.
In CF9, the value of CFID for me is along the lines of: 2219 In CF11, this changes to be Z3ir0kan93jawdd3kz38onobced8tfgn2kc3fy8i0w884gqffsn-2219
I need to be able to run a CF9 and CF11 server in the same pool (while we do the upgrade), but the differences in the cookie values mean that if you log in on a CF9 server and navigate to a CF11 server, you'll get logged out.
Is there any way to get CF11 to use the CF9 format for these cookie values?
About client identifiers To use client and session variables, ColdFusion must be able to identify the client. It normally does so by setting the following two cookie values on the client's system: CFID: A sequential client identifier. CFToken: A random-number client security token.
For ColdFusion session variables: check the box next to "Enable Session Variables." This will set the Session. SessionID value equal to the Application name, CFID, and CFTOKEN values. ColdFusion session variables are enabled by default.
The variables SessionID, CFID, and CFTOKEN are set once by ColdFusion instead of on every request. When you use theStructClear(Session) function, it will clear the SessionID, CFID, and CFTOKEN variables because they are set once and they are in a Struct.
ColdFusion allows you to pass in the CFID and CFTOKEN values via the URL/FORM scopes if you are not using cookies (these are two of the scopes ColdFusion will search for unscoped variable names), but from what it sounds like, using this methodology would be considered just as, if not more insecure than the JSESSIONID cookie.
The resulting CFToken identifier looks similar to the following: ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user's browser.
The behavior is as follows when CFID and CFTOKEN are provided in the URL: If session exists, the CFID and CFTOKEN from the URL are ignored. If the session does not exist, CFID and CFTOKEN from the URL are used to validate the session and the session is used if it is valid. If the session is not valid, a new session is created.
To use ColdFusion session variables without using cookies, each page must pass the CFID and CFToken values to any page that it calls as part of the request URL. If a page contains any HTML href a= links, cflocation tags, form tags, or cfform tags the tags must pass the CFID and CFToken values in the tag URL.
The value of CFID/CFTOKEN was changed from a simple numeric value to a string+numeric for security reasons.
http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html
Reason
In its default configuration, Adobe ColdFusion uses a pair of cookies named CF_ID and CF_TOKEN to manage user sessions. These two cookies are only ever used in tandem with each other--they are never used separately.
Even though CF_ID is sequential, CF_TOKEN is random and is unpredictable. Since it is the combination of both cookies that is used, the resulting combination is also unpredictable.
Solution
To eliminate this error in your compliance testing, you can configure ColdFusion to use J2EE session identifiers instead of CF_ID and CF_TOKEN.
Note: This solution does not make your ColdFusion server any more or less secure.
So it's not in your best interest to have CF 11 use the old-style numeric CF_ID value.
If you're going to have CF 9 and CF 11 in the same pool, where requests can randomly bounce from one to the other, you'll run into a number of other problems. I spent the better part of a year converting from CF 8 to CF 9 about two years ago (yes, yes, I know).
For instance, if you happen to use any CF UI components, you'll have problems when a request that starts on CF X rendered HTML & JS goes to CF Y, which has updated JS functions for that feature. We ripped them all out and converted to jQuery/jQuery UI
We also ran into something as simple as this:
this.name = HASH(getDirectoryFromPath(getCurrentTemplatePath()));
getDirectoryFromPath() returned an upper-case value in 8 and lower-case value in 9 (or vice-versa). We had to update it to this:
this.name = HASH(Lcase(getDirectoryFromPath(getCurrentTemplatePath())));
in order to have them use the same application name and, therefore, session.
You'll be better off running CF 11 in its own pool and running a full regression test against it to figure out what needs to be updated.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With