Skip to main content
cherdt
cherdt
Inspiring
June 20, 2014
Answered

CFID and CFTOKEN still set when using J2EE sessions

  • June 20, 2014
  • 3 replies
  • 1845 views

I'm using CF10 and "Use J2EE session variables" is selected in the CF admin.

When I visit an application, I get the JSESSIONID cookie, but I also get the CFID and CFTOKEN persistent cookies. The app I'm working with is older and uses Application.cfm instead of Application.cfc, but the clientmanagement and setclientcookies application attributes are set to false.

I'm not sure why CFID and CFTOKEN are still set. Are they set regardless of the client and session management settings?

This topic has been closed for replies.
Correct answer cherdt

When I followed Ben Nadel's post on forcing the CFID and CFTOKEN as session cookies, I found that those cookies are not set at all if the the application's SetClientCookies property is set to a false value:

<cfset THIS.SetClientCookies = "No">

As the docs (well, the CF8 docs that Google found) point out, the default value for SetClientCookies is true, so that's why I was getting CFID and CFTOKEN.

Thanks for pointing me in the right direction!

3 replies

cherdt
cherdtAuthor
Inspiring
June 23, 2014

Thanks to both Eduardo and BKBK for the replies.

As Eduardo mentioned, when using J2EE session management, CFID and CFTOKEN do not appear to be connected to the session. By creating a session in one browser and manipulating the cookies in a 2nd browser, I was able to steal the session using jsessionid but not with CFID and CFTOKEN.

The CFID and CFTOKEN cookies are flagged by security auditing software as a vulnerability because they are persistent, not session, cookies. Is there any way to force CF to set CFID and CFTOKEN as session cookies instead?

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
June 23, 2014

cherdt wrote:

The CFID and CFTOKEN cookies are flagged by security auditing software as a vulnerability because they are persistent, not session, cookies.

The auditing software must be giving you a false positive. In my opinion, CFID and CFTOKEN cookies are non-persistent, and cannot outlast the session in which they are created.

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
June 20, 2014

When you opt to use J2EE session management, the cookie scope includes the variables cookie.jsessionid, cookie.CFID and cookie.CFToken. I do believe that that is just how ColdFusion plays it.

    Eduardo Athar
    Eduardo Athar
    Participating Frequently
    June 20, 2014

    Hello!

    Yes, are set...

    I can not say exactly why remains the CFID CFTOKEN and the cookie but I know that even with them there you can only capture and enjoy a session, including the session traker API, via jsessionid. Have made myself this question and the only conclusion I reached was that the CF should create linkages within the internal structure linking it somehow to the jsessionid but as the tract of a session CFID CFTOKEN and has no influence on the session available to the user.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices