Skip to main content
A
Abdul L Koyappayil
Inspiring
September 10, 2014
Answered

real use of CFID and CFTOKEN

  • September 10, 2014
  • 1 reply
  • 50016 views

Hi All,

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use. So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??. These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

Any thoughts on this.

This topic has been closed for replies.
Correct answer BKBK

You raise a number of questions.

Abdul L Koyappayil wrote:

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

Not wrong, but with one addition. The new session has a CFID of 101. That is relevant.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use.

Even if you don't use CFID and CFToken explicitly in your code, Coldfusion will use the cookies in the background to communicate with browsers. I am assuming, of course, that session management is enabled.

So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??.

Communication via HTTP(S) is stateless. This means that servers are so designed that they have no obligation to remember or to store any details about the client's request.

One implication of this is that, by default, every new request to the ColdFusion server will start a new session. With merely 10 000 clients, each making on average 100 requests, ColdFusion will generate a million unrelated sessions, which it will temporarily hold in memory. Clearly, one session per request is inefficient. Hence the need for session management.

Session management is a mechanism for uniquely identifying and grouping requests that belong together, for example, the requests from a particular client at a particular time. This effectively creates a stateful protocol on top of the HTTP(S) communication.

ColdFusion manages session typically by means of cookies. Cookies uniquely identify the client, and keep track of his requests, as he navigates from one request to the next. The real use of CFID and CFToken is to maintain a user's session in this way. ( If cookies are disabled, then you must pass the CFID and CFToken values in the URL to maintain session)

These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

As Steve Sommers said in your previous thread, you can safely ignore the warning from the PCI scanner. The reason why the scanner flags ColdFusion's session cookies as vulnerable is that it detects CFID as being sequential, hence predictable. Rightly, too. (Recall my earlier remark about 101.) However, the scanner is unaware that CFID is just one part of a double-act, and that both CFID and CFToken are obligatory in the definition of a ColdFusion session.

CFToken happens to be random and unique enough to be secure, and so the combination of CFID and CFToken is secure. You could therefore use them, in place of the JsessionID cookie, to maintain session. That answers your immediate question.

Nevertheless, a complication might arise if you use client variables as well. This excerpt from the Adobe documentation on 'Managing the client state' says it all:

Providing Session security

ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user’s browser. These cookies persist until the client’s browser deletes them, which can be a considerable length of time. As a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each session.

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

1 reply

BKBK
Community Expert
BKBKCommunity ExpertCorrect answer
Community Expert
September 10, 2014

You raise a number of questions.

Abdul L Koyappayil wrote:

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

Not wrong, but with one addition. The new session has a CFID of 101. That is relevant.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use.

Even if you don't use CFID and CFToken explicitly in your code, Coldfusion will use the cookies in the background to communicate with browsers. I am assuming, of course, that session management is enabled.

So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??.

Communication via HTTP(S) is stateless. This means that servers are so designed that they have no obligation to remember or to store any details about the client's request.

One implication of this is that, by default, every new request to the ColdFusion server will start a new session. With merely 10 000 clients, each making on average 100 requests, ColdFusion will generate a million unrelated sessions, which it will temporarily hold in memory. Clearly, one session per request is inefficient. Hence the need for session management.

Session management is a mechanism for uniquely identifying and grouping requests that belong together, for example, the requests from a particular client at a particular time. This effectively creates a stateful protocol on top of the HTTP(S) communication.

ColdFusion manages session typically by means of cookies. Cookies uniquely identify the client, and keep track of his requests, as he navigates from one request to the next. The real use of CFID and CFToken is to maintain a user's session in this way. ( If cookies are disabled, then you must pass the CFID and CFToken values in the URL to maintain session)

These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

As Steve Sommers said in your previous thread, you can safely ignore the warning from the PCI scanner. The reason why the scanner flags ColdFusion's session cookies as vulnerable is that it detects CFID as being sequential, hence predictable. Rightly, too. (Recall my earlier remark about 101.) However, the scanner is unaware that CFID is just one part of a double-act, and that both CFID and CFToken are obligatory in the definition of a ColdFusion session.

CFToken happens to be random and unique enough to be secure, and so the combination of CFID and CFToken is secure. You could therefore use them, in place of the JsessionID cookie, to maintain session. That answers your immediate question.

Nevertheless, a complication might arise if you use client variables as well. This excerpt from the Adobe documentation on 'Managing the client state' says it all:

Providing Session security

ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user’s browser. These cookies persist until the client’s browser deletes them, which can be a considerable length of time. As a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each session.

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

A
Abdul L KoyappayilAuthor
Inspiring
September 15, 2014

Thanks for your detailed explanations. I understood.

BKBK wrote:

You raise a number of questions.

BK, the forumn is used for asking questions and to discuss those questions among many people. Right?? .......

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
September 15, 2014


Abdul L Koyappayil wrote:

Should you have further questions, please do bring them to the forum. A forum without questions is a bazaar without merchandise.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices