Question
CFID CFTOKEN Problem
Hello. Thanks in advance for any help.
I have a serious problem that I have been unable to debug probably because of my poor understanding of the subject.
I have an application with session and client variables.
Some people are sharing CFID's and CFTOKENs which is resulting in a real security problem
What I have found is that despite clearing the client storage database, the session variables, and resetting cookies, the CFID and CFTOKEN persist.
I created a page with the following code to highlight the problem:
<cfoutput>
cftoken: #cftoken#<br />
session.cftoken: #session.CFToken#<br />
client.cftoken: #client.cftoken#<br />
cookie.cftoken: #client.cftoken#<br />
</cfoutput>
<cfcookie name="Cftoken" expires="now"><cfcookie name="cfid" expires="now">
<cflock name="myappsessionlogout" type="exclusive" timeout="5">
<cfloop collection="#Session#" item="All_Vars">
<cfset StructDelete(Session, All_Vars)>
</cfloop>
</cflock>
<cfset client.cftoken = 0>
<cfoutput>
cftoken: #cftoken#<br />
<!---session.cftoken: #session.CFToken#<br />--->
client.cftoken: #client.cftoken#<br />
cookie.cftoken: #client.cftoken#<br />
</cfoutput>
First, I output the client, session, and cookie values for CFTOKEN.
I then delete/expire them and then I output them again.
The resulting page is something like this:
cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
session.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
client.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cookie.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cftoken:
client.cftoken: 0
cookie.cftoken: 0
If I refresh the page, however, the same exact output occurs. meaning htat somewhere the CFID and CFTOKEN variables are persisting. The issue is that some people have very short values for cftoken and so they are being shared. I need to reset their values so that they include the UUID.
Can someone tell me how to force a user to get a new cookie, client and session or provide some insight as to what may be happening?
I have a serious problem that I have been unable to debug probably because of my poor understanding of the subject.
I have an application with session and client variables.
Some people are sharing CFID's and CFTOKENs which is resulting in a real security problem
What I have found is that despite clearing the client storage database, the session variables, and resetting cookies, the CFID and CFTOKEN persist.
I created a page with the following code to highlight the problem:
<cfoutput>
cftoken: #cftoken#<br />
session.cftoken: #session.CFToken#<br />
client.cftoken: #client.cftoken#<br />
cookie.cftoken: #client.cftoken#<br />
</cfoutput>
<cfcookie name="Cftoken" expires="now"><cfcookie name="cfid" expires="now">
<cflock name="myappsessionlogout" type="exclusive" timeout="5">
<cfloop collection="#Session#" item="All_Vars">
<cfset StructDelete(Session, All_Vars)>
</cfloop>
</cflock>
<cfset client.cftoken = 0>
<cfoutput>
cftoken: #cftoken#<br />
<!---session.cftoken: #session.CFToken#<br />--->
client.cftoken: #client.cftoken#<br />
cookie.cftoken: #client.cftoken#<br />
</cfoutput>
First, I output the client, session, and cookie values for CFTOKEN.
I then delete/expire them and then I output them again.
The resulting page is something like this:
cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
session.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
client.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cookie.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cftoken:
client.cftoken: 0
cookie.cftoken: 0
If I refresh the page, however, the same exact output occurs. meaning htat somewhere the CFID and CFTOKEN variables are persisting. The issue is that some people have very short values for cftoken and so they are being shared. I need to reset their values so that they include the UUID.
Can someone tell me how to force a user to get a new cookie, client and session or provide some insight as to what may be happening?
AdChoices