Skip to main content
E
elizabeth1474
Participant
January 3, 2020
Question

switching from cookie storage to client storage

  • January 3, 2020
  • 2 replies
  • 842 views

Recently my app was scanned for vulnerabilities and I was flagged for a few - mostly pertaining to the client variables and the assoicated cookies.  Specifically with a cookie being utilized called CFClient_SMITH (let's just say that my application is called SMITH). My hosting site does not allow session variables, so I must use client variables.  Evidently because there is not client storage set, all of the client varaibles are now being stored in the CFClient_SMITH and are available for the picking.  I am getting nailed for Privilege Escalation, User Impersonation, Forced browsing - just to name a few.

 

I was told that by naming a clientstorage value this would eliminate this issue.  The hosting group told me to use a specific clientstorage value (let's say APPLE) and to set the client cookies to no as shown below:

<cfapplication name="SMITH"

        applicationtimeout="#createTimeSpan(0,4,0,0)#"

        clientmanagement="Yes"

        setclientcookies="No"

        setdomaincookies="yes"

        clientstorage="apple"

        sessionmanagement="No"

        scriptprotect="all"

 

So I thought that was all I needed, but the website worked in IE 11 but not in FireFox and Chrome. 

My question is - is this the correct approach?  And if yes, then I assume that I now need to go back into all of the code and append the cookies to the pages that really need them to be passed to using:

<cfset myEncodedURL=URLSessionFormat("MyActionPage.cfm")>
<cfform method="Post" action="#myEncodedURL#">

 

Any help and guidance you can provide is greatly appreciated!

Libby Hornbostel

This topic has been closed for replies.

2 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
January 7, 2020

Hi Libby,

 

First off, I agree with Charlie that database storage is your best option. It's either that, or storage in the registry. But this latter option is universally considered to be unacceptable. For one thing, storing ColdFusion client data in the registry can have adverse impact on the Operating System.

 

Assuming apple is a datasource containing tables that are correctly configured for ColdFusion client-variables, then the following settings are sufficient:

 

<cfapplication name="SMITH"

        applicationtimeout="#createTimeSpan(0,4,0,0)#"

        clientmanagement="yes"

        clientstorage="apple"

        setclientcookies="no"

        setdomaincookies="no"

        sessionmanagement="no"

        scriptprotect="all">

 

 

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
January 7, 2020

Sure, you still show using setclientcookies=no, which I'd argue we should not. To be clear, that's not what controls whether cf stores client variables IN cookies (the point of the original question). That's the clientstorage attribute.

 

For interested readers, I will repeat that Setclientcookies simply controls whether cf should use cookie to TRACK that a browser is connected to cf with the cfid/cftoken cookies, for use with either cf client or session vars. If you turn it off this way, then you need to pass the cfid/cftoken yourself on every request. That's an old approach from the days when some browsers or orgs did not support ANY cookies. 

/Charlie (troubleshooter, carehart. org)
BKBK
Community Expert
BKBKCommunity Expert
Community Expert
January 8, 2020

Just an oversight, Charlie.

Libby, that should in fact read:

<cfapplication name="SMITH"
applicationtimeout="#createTimeSpan(0,4,0,0)#"
clientmanagement="yes"
clientstorage="apple"
setclientcookies="yes"
setdomaincookies="no"
sessionmanagement="no"
scriptprotect="all">
Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
January 4, 2020

You don't need to use the setclientcookies=no to solve your problem. That's what's making you think you'd have to pass the session id's on each request.

 

And it is NOT  what is causing the colors with all the client variable values. That will be stopped once you use that clientstorage pointing to a db.

 

But do be sure to delete the existing cookies to see the difference take effect. (That's probably why it seemed to "work"on one browser and not another, if the failing ones already had cf cookies set for the app.)

 

Let us know how it goes. 

/Charlie (troubleshooter, carehart. org)
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices