Session Identifier Protection

By David Epler (Bio)

Session identifiers (CFID, CFTOKEN, and JSESSIONID) need to be protected since they provide an attacker with an easy way to impersonate a user if they are acquired.

One of the biggest leakages of session identifiers occurs with cflocation because the ADDTOKEN attribute defaults to true, appending the session identifiers to the URL, and thus be easily captured. The ADDTOKEN attribute should be set to false in almost all cases.

An additional measure to protect the session identifiers is to set the cookie which they are delivered to be HTTPOnly. When a cookie is flagged HTTPOnly, it is not possible for the cookie to be accessed in the browser via Javascript. ColdFusion 9 added the ability to set HTTPOnly cookies with cfcookie and ColdFusion 9.0.1 added a JVM flag to enable HTTPOnly cookies for the session identifiers. Pete Freitag has an excellent blog posting showing how to deal with this in older versions of ColdFusion: Setting up HTTPOnly Session Cookies for ColdFusion.

ColdFusion 10 added several new configuration items for working with the session cookie and authorization cookie for cflogin. They can be configured globally through the ColdFusion Administrator or on a per-application basis by applying the settings in Application.cfc.

    this.sessioncookie.httponly = true;     // if cookie to be httponly
    this.sessioncookie.timeout = "10";      // session cookie age (in days)
    this.sessioncookie.secure = true;       // only https session cookie
    this.sessioncookie.domain = ".example.com"; // domain for which session cookies are valid
    this.sessioncookie.disableupdate = true;    // if session cookie can be modified by coldfusion tags (cfcookie, cfheader)

    // CFLogin settings
    this.authcookie.timeout = createTimeSpan(0, 0, 0, 20);  // authentication cookie age
    this.authcookie.disableupdate = true;                   // if session cookie can be modified by coldfusion tags (cfcookie, cfheader)

ColdFusion 10 also introduced two new functions to work with sessions, SessionInvalidate() and SessionRotate(). SessionInvalidate will clear all data stored in the session. If you are using J2EE sessions it will not invalidate the underlying JSESSIONID. SessionRotate is useful to prevent session fixation issues when used after the user is successfully authenticated. SessionRotate will copy the current session data, invalidate the current session, create a new session, and finally populate the new session with the copied data.

Additional Resources: