Skip to main content
W
wcx08
Known Participant
July 3, 2012
Question

ColdFusion Session Fixation Bug

  • July 3, 2012
  • 3 replies
  • 5845 views

Hello all,

I'm current running ColdFusion 9.0.1 on a Windows Server 2008 R2 with IIS7, with the Cumulative Hotfix 2 installed.  For the past couple of months we've been running in to major problems with users losing their sessions on our web applications.   This problem only started occurring once I installed the hotfixes...Here is a quick timeline of events:

- Running ColdFusion 9.0 with no hotfixes for many years...Everything working great.

- Installed hotfix APSB12-06 (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html).  This caused problems with sessions.

- Uninstalled ColdFusion altogether, reinstalled ColdFusion 9.0.  Sessions were back to normal and working great, as they had been for years.

- Upgraded to CF 9.0.1.  Session problems started again.

- Cumultive hotfix 2 says that it fixes the session fixation bug for 9.0.1.  Installed this successfully, but sessions are still not working correctly.

It appears that the only users that this effects are IE users.  No particular version, but it seems to be mainly 7, 8, and 9 that are having trouble (may just be the most common IE versions that visit our sites...).  Haven't changed anything with the code...These are web apps that have worked for almost ten years now.  I've been having the system send me debugging information that dumps the session and cookie scopes to my email whenever a user logs in or logs out.  It definitely shows signs of session loss, and new session ID and cftoken IDs are being assigned every time a user navigates to a new page.

I can always revert back to my original CF 9.0 installation to fix this, but then my server has a huge security hole in it that the hotfixes were supposed to solve.  It seems I'm screwed here...Is anyone else having this problem?  Is there anything I can do?  Can anyone see any reason why I should continue to use Adobe's products given that their hotfixes aren't fixing any of my problems, but instead are making them worse?

Any information would be greatly apprecated...Thank you.

This topic has been closed for replies.

3 replies

A
Anonymous
July 5, 2012

Hi

You can add -Dcoldfusion.session.protectfixation=false in jvm arguments.

Shilpi

ColdFusion Server Team

A
Adam Cameron.
Inspiring
July 5, 2012

What does that setting do and what are the broader ramifications (if any) of setting it, Shilpi?

It seems like a curious way to "fix" an issue an individual is having on their CF install?  What I mean is what is it about WCX08's install that they should have this setting set, that my install (also CF 9.0.1, IIS7, etc but not experiencing the problem) doesn't have?

--

Adam

A
Anonymous
July 5, 2012

The JVM argument is a way to fix the problem than reinstalling the server without installing the security fixes.

As long as it is concerned for the set up, i would need to see the code and need to know the complete set up environment in order to comment on that.

itisdesign
itisdesign
Inspiring
July 5, 2012

wcx08 wrote:


Upgraded to CF 9.0.1.

Hi wcx08,

Did you try CF 9.0.2?  It's a full installer w/ all CF 9.0.1 hotfixes, just w/o Verity.

Thanks,

-Aaron

itisdesign
itisdesign
Inspiring
July 4, 2012

wcx08 wrote:

- Running ColdFusion 9.0 with no hotfixes for many years...Everything working great.

- Installed hotfix APSB12-06 (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html).  This caused problems with sessions.

[...]

new session ID and cftoken IDs are being assigned every time a user navigates to a new page.

Hi wcx08,

Is the code manually setting the CFID/CFTOKEN cookies, as described here: http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour

Meaning, is "Use J2EE Session Variables" disabled, and is setclientcookies=false?

Thanks,

-Aaron

W
wcx08Author
Known Participant
July 4, 2012

I do have "use J2EE session variables" disabled, however I'm not specifying the "setclientcookies=false" attribute.  I've come across that article before, but I don't understand why code that has worked for over ten years now is suddenly broken by a ColdFusion security update.  Why should my application manually set the cookie variables when it always did it automatically in the past?

I'm going to try to work around this problem before trying to revert to an old installation.

12Robots
12Robots
Participating Frequently
July 4, 2012

If you have JEE sessions enabled then you do NOT need to set cookie variables manually. Setting them manually, as tht article states, is only for CF session tokens because they were not set as session cookies.

Also, as I understand it, the session fixation fixes they made in the security update only affected CF session tokens. JEE tokens never had the problem that they were trying to fix.

I also noticed that the link you provided above to the hotfix points to hotfix APSB12-06 which, as far as I can tell, has nothing to do with the session fixation bug.

jason

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices