On 2008-11-30 02:00:53 +0200, "ProjectedSurplus"
<webforumsuser@macromedia.com> said:
> In researching something different I google-stumbled
upon:
>
>
http://evolt.org/Session_Hijacking_Cold_Fusion_Dynamic_Proxies
>
> In Oct 2000 this link relates that if
>
> 1) A user signs in (thereby SESSION.auth.IsSignedIn is
set to "true")
>
> 2) gets the URL:
>
http://myWebsite.com/index.cfm?CFID=2110&CFTOKEN=f444ead2530cb1f-9C40767F-92DF-D
DB9-010E9B7CA863579F
>
> 3) copies and (say) IM's that URL to a "friend" (or it
is detected by a packet
> sniffer)
>
> Then the unauthorized "friend" has at least 20 mins (ie
until SESSION timeout)
> during which they can use this URL & info and be
"Signed In" (fwiw I cut and
> pasted it into different browsers on different machines
-- all using the same
> IP though -- and all reported back as "SignedIn").
This is not a ColdFusion specific problem, it's a fundamental
design
issue in HTTP:
http://en.wikipedia.org/wiki/Session_hijacking
> Has anything changed to address this problem since 2000?
The problem is now widely known and researched and there is
much more
info about ways to protect against it. But the problem is
very unlikely
to go away as long as HTTP is used as a transport protocol.
> I thought the cfid and cfurl were sent in cookies and
not shown in the url --
> why in this case do they appear? (I have <cfset
this.setClientCookies = true>
> in Application.cfc)
<cflocation addToken="yes"> or <a
href="###Session.URLToken#"> (unlikely)
> Can I prevent the cfid and cfurl appearing and will this
make a difference?
Don't use <cflocation addToken="yes". And yes, it will
make a
difference. Tying the user session to the IP and browser will
reduce
the attack surface considerably (not eliminate it though).
> Is the solution addressed in the article (setting and
comparing a cookie and a
> SESSION variable) worthwhile?
Yes, it's another step reducing the attack surface.
> Is AOL still a rotating proxy ISP?
Don't know.
--
Mack
2
Replies
AdChoices