Session identifiers (CFID, CFTOKEN, and JSESSIONID) need to be protected since they provide an attacker with an easy way to impersonate a user if they are acquired.
One of the biggest leakages of session identifiers occurs with cflocation because the ADDTOKEN attribute defaults to true, appending the session identifiers to the URL, and thus be easily captured. The ADDTOKEN attribute should be set to false in almost all cases.
ColdFusion 10 added several new configuration items for working with the session cookie and authorization cookie for cflogin. They can be configured globally through the ColdFusion Administrator or on a per-application basis by applying the settings in Application.cfc.
<cfscript> this.sessioncookie.httponly = true; // if cookie to be httponly this.sessioncookie.timeout = "10"; // session cookie age (in days) this.sessioncookie.secure = true; // only https session cookie this.sessioncookie.domain = ".example.com"; // domain for which session cookies are valid this.sessioncookie.disableupdate = true; // if session cookie can be modified by coldfusion tags (cfcookie, cfheader) // CFLogin settings this.authcookie.timeout = createTimeSpan(0, 0, 0, 20); // authentication cookie age this.authcookie.disableupdate = true; // if session cookie can be modified by coldfusion tags (cfcookie, cfheader) </cfscript>
ColdFusion 10 also introduced two new functions to work with sessions, SessionInvalidate() and SessionRotate(). SessionInvalidate will clear all data stored in the session. If you are using J2EE sessions it will not invalidate the underlying JSESSIONID. SessionRotate is useful to prevent session fixation issues when used after the user is successfully authenticated. SessionRotate will copy the current session data, invalidate the current session, create a new session, and finally populate the new session with the copied data.