Installing ColdFusion Installing the Database Installing Sample Files

What is ColdFusion? Setting Variables Datatypes Commenting Script vs Tag

Decision Making Scopes

Looping

Databases XML JSON

Functions Includes Custom Tags Components

Application cfc

OOP

Intro to ORM

Mail

cfhttp cfdocument cfpdf cfpdfform File Manipulation Image Manipulation Spreadsheets

Caching Advanced Caching

Introduction Injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Session Identifier Protection File Uploads Secure Password Storage ColdFusion Configuration

Error Handling Debugging

i18n

What to do Next

Security

Session Identifier Protection

Content Author

David Epler

dcepler

Reviewed/Revised By

Pete Freitag

pfreitag

Session identifiers (CFID, CFTOKEN, and JSESSIONID) need to be protected since they provide an attacker with an easy way to impersonate a user if they are acquired.

One of the biggest leakages of session identifiers occurs with cflocation because the addtoken attribute defaults to true, appending the session identifiers to the URL, and thus be easily captured. The addtoken attribute should be set to false in almost all cases.

An additional measure to protect the session identifiers is to set the cookie which they are delivered to be HTTPOnly. When a cookie is flagged HTTPOnly, it is not possible for the cookie to be accessed in the browser via Javascript. ColdFusion 9 added the ability to set HTTPOnly cookies with cfcookie and ColdFusion 9.0.1 added a JVM flag to enable HTTPOnly cookies for the session identifiers. Pete Freitag has an excellent blog posting showing how to deal with this in older versions of ColdFusion: Setting up HTTPOnly Session Cookies for ColdFusion.

ColdFusion 10 added several new configuration items for working with the session cookie and authorization cookie for cflogin. They can be configured globally through the ColdFusion Administrator or on a per-application basis by applying the settings in Application.cfc.

this.sessioncookie.httponly = true;     // if cookie to be httponly
this.sessioncookie.timeout = "10";      // session cookie age (in days)
this.sessioncookie.secure = true;       // only https session cookie
this.sessioncookie.domain = ".example.com"; // domain for which session cookies are valid
this.sessioncookie.disableupdate = true; // if session cookie can be modified by coldfusion tags (cfcookie, cfheader)

// CFLogin settings
this.authcookie.timeout = createTimeSpan(0, 0, 0, 20); // authentication cookie age
this.authcookie.disableupdate = true;   // if session cookie can be modified by coldfusion tags (cfcookie, cfheader)

ColdFusion 10 also introduced two new functions to work with sessions, SessionInvalidate() and SessionRotate(). SessionInvalidate will clear all data stored in the session. If you are using J2EE sessions it will not invalidate the underlying JSESSIONID. SessionRotate is useful to prevent session fixation issues when used after the user is successfully authenticated. SessionRotate will copy the current session data, invalidate the current session, create a new session, and finally populate the new session with the copied data.

Additional Resources:

OWASP Session Management Cheat Sheet

Setup

Basics

Decision Making and Scopes

Looping

Data Handling

Code Reuse

Application cfc

OOP

ORM

Mail

Document Handling

Caching

Security

Error Handling and Debugging

i18n

Conclusion

Security

Session Identifier Protection