Skip to main content
ihorp86864558
ihorp86864558
Participant
March 11, 2026
Answered

Weak Session Token Randomness CF Administrator 2023

  • March 11, 2026
  • 1 reply
  • 205 views

Weak Session Token Randomness vulnerability found during pentesting in ColdFusion 2023 Administrator
 

During a recent penetration test, we identified a vulnerability related to weak session token randomness in ColdFusion 2023, specifically impacting the Administrator interface. Our analysis indicates that only about 6 out of 80 characters in the session cookie exhibit sufficient randomness, which poses a risk to session security.

Could you please advise if ColdFusion 2023 offers any configuration options or best practices to enhance the randomness and security of session tokens for the Administrator? Is it possible to customize the session ID generator or enable a stronger session management mechanism?

Any guidance or recommendations to mitigate this vulnerability would be greatly appreciated.

Thank you in advance for your support!

    Correct answer BKBK

    As a result of the feedback from ​@Brian__ I have duly added the following clarification to the bug ticket:

     

    Remark, following feedback in the ColdFusion forum:
    To be clear, I did not mean that the entropy of the dynamic part is 72 bits. In fact, I did not look further into what constitutes the dynamic part. I just made an estimate based on the bytes in the Hex string.

    I use the word "maximum" in the context of estimation. That is, “does not exceed” or “is at most”. As I said, this is an estimation technique that requires no knowledge of the details. For example, in the following sense: after 3 throws of a die the sum of the throws has a maximum of 6x3=18. Or even, after 3 throws of a die the sum of the throws has a maximum 19. As long as you understand by that, that I mean “does not exceed”.

    The key point is that the entropy of the dynamic part is much less than 128 bits.

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    March 11, 2026

    Normally the sessionId is of the form

    BKBK_APP_30913_10645822

    Here BKBK_APP is the name of the application, 30313 is the value of session.CFID and 10645822 is the value of session.CFTOKEN.

     

    If what you want is to increase the randomness of the session token, then the simplest way I know of is to ensure that CFTOKEN is a UUID. To do so:

    1. Open the ColdFusion Administrator;
    2. Go to the page Server Settings »  Settings;
    3. Check the checkbox “Use UUID for cftoken” and press the button to “Submit Changes”.
    4. Restart ColdFusion for the change to take effect.


    The sessionId will then look like

    BKBK_APP_30914_7d5be597d8fbe378-AA4052FF-B3AF-B1BA-7B8885EA08F28749

     

    ihorp86864558
    ihorp86864558Author
    Participant
    March 12, 2026

    We already have all these settings enabled, and even more. (Use UUID for cftoken, HTTPOnly, Secure Cookie )
    However, here is an example of session generation.
    Five example cookie: 
    cGVudGVzdA1jZmFkbWluMjAyMzE4MDI2NTM3NzMNMTc2OTA4NDE0MDY3NA01N0MzOUE3MjBFQkQ 4N0NG cGVudGVzdA1jZmFkbWluMjAyMzE4MDI2NTM3NzMNMTc2OTA4NDE0MDY3NQ0xMjFDMTI4MTU2Njc 2QTBB cGVudGVzdA1jZmFkbWluMjAyMzE4MDI2NTM3NzMNMTc2OTA4NDE0MDY3NQ1BRkVFRjIwOEE1NTQ 0NTlD cGVudGVzdA1jZmFkbWluMjAyMzE4MDI2NTM3NzMNMTc2OTA4NDE0MDY5Mg04NTFCNkM0NUY0MkU 2NjZF cGVudGVzdA1jZmFkbWluMjAyMzE4MDI2NTM3NzMNMTc2OTA4NDE0MDY5Mw0zODdDNDc5MjFERTk 2NzZE

    Same cookies after Base64 decode:
    pentestcfadmin20231802653773176908414067457C39A720EBD87CF pentestcfadmin202318026537731769084140675121C128156676A0A pentestcfadmin202318026537731769084140675AFEEF208A554459C pentestcfadmin202318026537731769084140692851B6C45F42E666E pentestcfadmin202318026537731769084140693387C47921DE9676D

    My question is only about the CF Administrator at /CFIDE/administrator/index.cfm.

    Only 6 out of 80 characters in the session cookie are considered to have an acceptable level of randomness. The chart indicates the degree of confidence in the randomness of the sample at each character position. The significance level at each position is the probability of the observed character-level results occurring, assuming that the sample is randomly generated.

    Recommended Measures
    Replace the current session ID generation with a cryptographically secure pseudo random number generator (CSPRNG) and ensure that session tokens are long enough and uniformly distributed (for example at least 128 bits of entropy). Avoid deterministic elements (timestamps, usernames, incremental counters) in the token value.
     

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    March 12, 2026

    Thanks for clarifying. 

    What you have shown are 5 cookie values. What are the respective names?

     

    For example, when I open the ColdFusion Administrator, tap on F12 (to open Developer Tools) and on F5 (to refresh the page), I see the following cookie name/value pairs:

    CFCLIENT_MYAPP=""

    CFCLIENT_MYAPP0=""

    CFID=30916

    CFTOKEN=e008187272a4b980-AB1B6BD9-F78E-2F87-C6F962D487910D50

     CFGLOBALS=urltoken%3DCFID%23%3D30916%26CFTOKEN%23%3De008187272a4b980%2DAB1B6BD9%2DF78E%2D2F87%2DC6F962D487910D50%23lastvisit%3D%7Bts%20%272026%2D03%2D11%2018%3A19%3A30%27%7D%23hitcount%3D884%23timecreated%3D%7Bts%20%272025%2D12%2D26%2016%3A00%3A17%27%7D%23cftoken%3De008187272a4b980%2DAB1B6BD9%2DF78E%2D2F87%2DC6F962D487910D50%23cfid%3D30916%23

     CFAUTHORIZATION_cfadmin20251861547346=YWRtaW4NY2ZhZG1pbjIwMjUxODYxNTQ3MzQ2DTE3NzMzMTA4NTQxODENMEU3REZFMjU5Q0M3NTA1QQ==

    CFID20251861547346=30918

    CFTOKEN20251861547346=8297cbced9bfb65d-CFA2AAFC-BB3C-69F9-DACA7D00B36F32A

     

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices