Skip to main content
U
unleashed
Inspiring
August 19, 2011
Question

J2EE/CFID/CFToken Securing Sessions Across Different Users

  • August 19, 2011
  • 1 reply
  • 1141 views

I'm building an application and I need to store a client variable. The application doesn't make the user login, it will just store the Client variable for the session.  I setup the application to use cookies, but is the user doesn't accept cookies I use the "URLSessionFormat" function to add the CFID/CFToken/JSessionID to the URL string. This works just fine for me to maintain the client variable.

The problem I am having is users use our application and then copy/paste links to different forums and the links may contain the CFID/CFToken/JSessionID's and other users are able to hijack their session. I need to make sure that a user session can not be shared between users.  I read some forums that said using J2EE session IDs were supposed to kill sessions between users, but it is still happening for me.

Can anyone provide me with some insight on my problem or maybe some good example code on how to use JSession to lock down an application?

Thanks,

James

  • ColdFusion version (ColdFusion 7.02 Enterprise)
  • Server OS (Windows 2003)
  • Webserver (IIS 6.1)
  • Database (MS SQL 2008)
This topic has been closed for replies.

1 reply

pete_freitag
pete_freitag
Participating Frequently
August 19, 2011

A few things to consider:

  1. You can look for changes in User Agent and IP address, if they both change then you know it is a different person. The problem with this is that many users will have the same user agent, and unless you are on an intranet and know all IP's are unique people can also share IP's or might be switched to new IP's on different requests.
  2. You can pass your session id's through hidden form fields, this requires http posts for everything the user does and is not ideal but might improve things for a situation like yours.

There is not much you can do to protect sessions if you allow the ids to be in the url, the best place is within cookies.

U
unleashedAuthor
Inspiring
August 19, 2011

The application is internet facing and the #1 won't work for us.  I was using the IP address as part of the security schema but recently a local cell phone company changed their network settings and their cell phone users randomly go out one of their 12 proxies every page request.  So, these cell phone users would have a 1 in 12 change of getting kicked out of the application because their IP address changed.

#2 Sounds like it would probably work, but the application has a lot of links. And, a search tool that generates more links. I don't know if changing the links to do form submits via javascript or changing the links to form buttons would be ideal like you said.

I wonder if I should just force cookies to be enabled on the end user?  Do a check for cookies being turned on. If no cookies, the user gets a "cookies must be enabled to use this application" message?  I don't know how ideal that is either.

James

Owainnorth
Owainnorth
Inspiring
August 19, 2011

Personally, I'd give them the finger if they don't have cookies enabled. Disabling them is an antiquated idea and I genuinely don't understand how people could expect to have any kind of decent internet experience if they've turned them off.

The "putting them in the url" thing is all well and good, but as you've correctly pointed out - you're basically getting around your own security measures, which defeats the object.

If I browsed a site where every page posted I wouldn't be hanging around, I'd be running away screaming.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices