J2EE/CFID/CFToken Securing Sessions Across Different Users

Report · Aug 19, 2011

I'm building an application and I need to store a client variable. The application doesn't make the user login, it will just store the Client variable for the session. I setup the application to use cookies, but is the user doesn't accept cookies I use the "URLSessionFormat" function to add the CFID/CFToken/JSessionID to the URL string. This works just fine for me to maintain the client variable.

The problem I am having is users use our application and then copy/paste links to different forums and the links may contain the CFID/CFToken/JSessionID's and other users are able to hijack their session. I need to make sure that a user session can not be shared between users. I read some forums that said using J2EE session IDs were supposed to kill sessions between users, but it is still happening for me.

Can anyone provide me with some insight on my problem or maybe some good example code on how to use JSession to lock down an application?

Thanks,

James

ColdFusion version (ColdFusion 7.02 Enterprise)
Server OS (Windows 2003)
Webserver (IIS 6.1)
Database (MS SQL 2008)

Report · Aug 19, 2011

A few things to consider:

You can look for changes in User Agent and IP address, if they both change then you know it is a different person. The problem with this is that many users will have the same user agent, and unless you are on an intranet and know all IP's are unique people can also share IP's or might be switched to new IP's on different requests.
You can pass your session id's through hidden form fields, this requires http posts for everything the user does and is not ideal but might improve things for a situation like yours.

There is not much you can do to protect sessions if you allow the ids to be in the url, the best place is within cookies.

In Response To pete_freitag · Aug 19, 2011

The application is internet facing and the #1 won't work for us. I was using the IP address as part of the security schema but recently a local cell phone company changed their network settings and their cell phone users randomly go out one of their 12 proxies every page request. So, these cell phone users would have a 1 in 12 change of getting kicked out of the application because their IP address changed.

#2 Sounds like it would probably work, but the application has a lot of links. And, a search tool that generates more links. I don't know if changing the links to do form submits via javascript or changing the links to form buttons would be ideal like you said.

I wonder if I should just force cookies to be enabled on the end user? Do a check for cookies being turned on. If no cookies, the user gets a "cookies must be enabled to use this application" message? I don't know how ideal that is either.

James

In Response To unleashed · Aug 19, 2011

Personally, I'd give them the finger if they don't have cookies enabled. Disabling them is an antiquated idea and I genuinely don't understand how people could expect to have any kind of decent internet experience if they've turned them off.

The "putting them in the url" thing is all well and good, but as you've correctly pointed out - you're basically getting around your own security measures, which defeats the object.

If I browsed a site where every page posted I wouldn't be hanging around, I'd be running away screaming.

In Response To Owainnorth · Aug 19, 2011

Owain,

I think you are right. I turned off my cookies when I was doing testing and looking for solutions. It is a pain in the next to do anything now a days without cookies enabled. I think our free service might just be coming with a "cookie disclaimer."

James

In Response To unleashed · Aug 19, 2011

Perhaps it should simply read:

"You cannot use ~~this site~~ the internet without cookies enabled." ?

In Response To Owainnorth · Aug 19, 2011

Personally, I'd give them the finger if they don't have cookies enabled.

Hear hear.

--

Adam