Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are current CF9.02 Session Cookie Management Best Practices?

Common "best practice" for ColdFusion cookie session cookie management has been to implement something like this:

<cfset this.setClientCookies = false />
<cfif NOT IsDefined( "cookie.cfid" ) OR NOT IsDefined( "cookie.cftoken" )>
    <cfcookie name="cfid" value="#session.cfid#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
    <cfcookie name="cftoken" value="#session.cftoken#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
</cfif>

OR

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfcookie name="CFID" value="#Cookie.CFID#">
    <cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#">
</cfif>

depending on who you talk to.

Adobe then released http://www.adobe.com/support/security/bulletins/apsb11-04.html and later a fix for this original fix, which is talked about here: http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html

The original fix causes a lot of issues described here: http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour This fix (and a lot of other similar fixes on the web) work by modifying the cfcookie code above.

It's a year later and what I would like to know if what are people currently doing for CFID/CFToken management when running CF9.02 (ie, with the session fixation fixes applied.)

like image 569
Dave Avatar asked Sep 12 '12 23:09

Dave


People also ask

What is a cookie session management?

The cookie allows the server to identify the user and retrieve the user session from the session database, so that the user session is maintained. A cookie-based session ends when the user logs off or closes the browser. Cookie-based session management is secure and has performance benefits over alternatives.

What should be in a session cookie?

Session cookies contain information that is stored in a temporary memory location which is deleted after the session ends. Unlike other cookies, session cookies are never stored on your device. Therefore, they are also known as transient cookies, non-persistent cookies, or temporary cookies.

Which is faster cookie or session?

Its Better to go with Session. because its getting stored in "Memory" instead of storing as a hiddenFileld in the page like Cookie.

What are cookies and sessions used for?

HTTP cookies, or internet cookies, are built specifically for Internet web browsers to track, personalize, and save information about each user's session. A “session” just refers to the time you spend on a site. Cookies are created to identify you when you visit a new website.


1 Answers

Um, not using CFID/CFToken. I have not used those client variables for years and instead use ColdFusion session management. It is just too risky to trust those from the client (in my opinion).

The Adobe docs actually have a pretty good write up about managing client state: Managing the client state

What is your case for still needing to use CFID/CFToken?

An excerpt from that Adobe article:

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

like image 73
Miguel-F Avatar answered Oct 03 '22 23:10

Miguel-F