Session identifiers (
JSESSIONID) need to be protected
since they provide an attacker with an easy way to impersonate a user if
they are acquired.
One of the biggest leakages of session identifiers occurs with
cflocation because the
addtoken attribute defaults to
the session identifiers to the URL, and thus be easily captured. The
addtoken attribute should be set to
false in almost all cases.
An additional measure to protect the session identifiers is to set the
cookie which they are delivered to be
HTTPOnly. When a cookie is flagged
HTTPOnly, it is not possible for the cookie to be accessed in the
cookies with cfcookie and ColdFusion 9.0.1 added a JVM flag to enable
HTTPOnly cookies for the session identifiers. Pete Freitag has an
excellent blog posting showing how to deal with this in older versions
of ColdFusion: Setting up HTTPOnly Session Cookies for
ColdFusion 10 added several new configuration items for working with the
session cookie and authorization cookie for
cflogin. They can be
configured globally through the ColdFusion Administrator or on a
per-application basis by applying the settings in Application.cfc.
this.sessioncookie.httponly = true; // if cookie to be httponly this.sessioncookie.timeout = "10"; // session cookie age (in days) this.sessioncookie.secure = true; // only https session cookie this.sessioncookie.domain = ".example.com"; // domain for which session cookies are valid this.sessioncookie.disableupdate = true; // if session cookie can be modified by coldfusion tags (cfcookie, cfheader) // CFLogin settings this.authcookie.timeout = createTimeSpan(0, 0, 0, 20); // authentication cookie age this.authcookie.disableupdate = true; // if session cookie can be modified by coldfusion tags (cfcookie, cfheader)
ColdFusion 10 also introduced two new functions to work with sessions,
SessionInvalidate will clear
all data stored in the session. If you are using J2EE sessions it will
not invalidate the underlying
SessionRotate is useful to
prevent session fixation issues when used after the user is successfully
authenticated. SessionRotate will copy the current session data,
invalidate the current session, create a new session, and finally
populate the new session with the copied data.