Session Hijacking & Dynamic Proxies

On 2008-11-30 02:00:53 +0200, "ProjectedSurplus"
<webforumsuser@macromedia.com> said:

> In researching something different I google-stumbled upon:
>
> http://evolt.org/Session_Hijacking_Cold_Fusion_Dynamic_Proxies
>
> In Oct 2000 this link relates that if
>
> 1) A user signs in (thereby SESSION.auth.IsSignedIn is set to "true")
>
> 2) gets the URL:
> http://myWebsite.com/index.cfm?CFID=2110&CFTOKEN=f444ead2530cb1f-9C40767F-92DF-D
DB9-010E9B7CA863579F


>
> 3) copies and (say) IM's that URL to a "friend" (or it is detected by a packet
> sniffer)
>
> Then the unauthorized "friend" has at least 20 mins (ie until SESSION timeout)
> during which they can use this URL & info and be "Signed In" (fwiw I cut and
> pasted it into different browsers on different machines -- all using the same
> IP though -- and all reported back as "SignedIn").

This is not a ColdFusion specific problem, it's a fundamental design
issue in HTTP: http://en.wikipedia.org/wiki/Session_hijacking

> Has anything changed to address this problem since 2000?

The problem is now widely known and researched and there is much more
info about ways to protect against it. But the problem is very unlikely
to go away as long as HTTP is used as a transport protocol.


> I thought the cfid and cfurl were sent in cookies and not shown in the url --
> why in this case do they appear? (I have <cfset this.setClientCookies = true>
> in Application.cfc)

<cflocation addToken="yes"> or <a href="###Session.URLToken#"> (unlikely)

> Can I prevent the cfid and cfurl appearing and will this make a difference?

Don't use <cflocation addToken="yes". And yes, it will make a
difference. Tying the user session to the IP and browser will reduce
the attack surface considerably (not eliminate it though).

> Is the solution addressed in the article (setting and comparing a cookie and a
> SESSION variable) worthwhile?

Yes, it's another step reducing the attack surface.

> Is AOL still a rotating proxy ISP?

Don't know.


--
Mack