Coldfusion 10 cfid cftoken problem

Report · Aug 30, 2012

After uninstalling Coldfusion 9 and installing Coldfusion 10 our clients have started

calling saying that the system logs them out. Their Session expires and it gets fixed if they

clean their cookies so I assume that the previous cfid and cftoken stored in the client side

from CF 9 are generating a conflict with CF 10.

Can anyone help with this problem?

Report · Aug 30, 2012

I'm guessing you were not running CF9 previously will all of the security hotixes, or it probably would have seen this earlier.

CF9, prior to security hotfix 2 (I believe), would create a new session if cookies were passed for a session that didn't exist. Unfortunately, it would used the passed session tokens instead of creating new ones. This is known as a Session Fixation vulnerability. So if the client tries to pass cookies for a session that does not exist, a new session will still be created and new cookies will be set.

You should not count on session cookies existing and reinflating an old session to keep your users logged in for extended periods of time. If you really want "remember me" functionality, you should implement that in a secure way, not in a way that will work with compromised session tokens.

Jason

Report · Aug 30, 2012

Thanks for the reply Jason. I basically have a Session variable Session.LoggedIn that I set to "Y" after

successfull login process. What I see is that even after log In and setting this and other Session variables,

once the user navegates to any page the session variables are lost.

What surprices me is that cleaning cookies solves the problem but I still can't ask all the users to clean their cookies.

There has to be a work around.

Could you give me an example on how to implement it in a secure way without having to use session tokens?

Thank you again

Report · Aug 30, 2012

Maintaining a session still requires session variables. I was talkign about "remember me" functionallity".

The behavior you're describing is unusual and I am not sure if it is being caused by the session fixation protection or not. Old CFID and CFTokens can be a real PITA.

I can tell you one way that will likely fix the problem hence forth, and that would be to use JEE session variables instead. It is a flip of a switch in the CFAdmin and will likely completely resolve the issue. And unless you are, anywhere in your code, spefically trying to use CFID and CFToken, then you'd probably never know the difference.

At the same time you could set up code in onSessionStart() to wipe out any existing CFID and CFToken cookies for visitors so that if you ever decided to switch back to CF Session tokens that many of those old tokens would have long since been removed.

Jason

Report · Aug 30, 2012

Thanks again Jason

I think i am going to have to go with the onSessionStart() to wipe out any existing CFID and CFToken cookies

The problem is that I am still using application.cfm so what I did is to

place

before I set the Session variables and the Session.LoggedIn to 'Y' in which case the cookies don't get erased.

It is working without any reported complains. Let me know if that is got any side effects that I should be

carefull with.

Thank you for all your help

Alejandro