Simple Question Regarding Session Variables

Report · Mar 11, 2010

When I create a session variable, I know that it is stored on the server, and not on the client. But what I am wondering is does the session only exist for the specific client that triggered it to be created? For example, if I create a session variable that says something like:

</cfif>

Lets say session.user12 was created when somebody logged into the site earlier and it still exists. Will this log in anybody who lands on the site or will it only log in the person who triggered session.user12 to be create earlier?

Ben

Report · Mar 11, 2010

Here is briefly how it works:

When you set up your application to use sessions, ColdFusion will generate and send to the client (by some means...) a random token known as a session-id, in such a way that the client will send it back to the server with each subsequent request.

ColdFusion then uses that information to locate a pool of values, peculiar to that session, and makes it available to you as "session variables." It provides several ways to manage this process, all of them mostly-invisible to you. It also provides session-security features that help to avoid hijacking.

Report · Mar 11, 2010

That is the intent, but the system is not infalible.

Session state is dependant on either a pair of values called CFID and CFToken or a single value JSESSIONID if that option has been chosen in the adminstrator configuration. These valeus are normally passed back and forth between the server and the client as cookies. There is an option to pass these tokens through URL query string key-value pairs to support older days when cookies where sometimes not desired. Thus any request that ColdFusion receives that contains valid, unexpired tokens will associate that request with the specified session state.

If these tokens somehow get shared between clients then ColdFusion will think all such clients are part of the same session. This happens more often with the URL version where links can be save, bookmaked, cut and past or otherwise passed around with the token values. But it also sometimes happens with the cookies version. This is known to happen with improperly functioning proxy servers that cache cookie data for all clients it may be proxying for.

Report · Mar 11, 2010

Thanks for the replies,

I am still a little confused, so I will explain my particular reason for asking. This is mainly a security issue for me. I recently learned about packet sniffing in one of my classes, and since I am storing cookies on users computers with their username and password for my website, I am worried that somebody may be able to intercept one of the cookies and get into somebodys account. When someone logs in, here is what code i execute:

<cfif isDefined("form.loginuser")>
    <cfquery datasource="#datasource#" name="qUserListing">
        SELECT *
        FROM userlisting
        WHERE username = '#form.username#' AND userpass = '#form.userpass#'
    </cfquery>
    <cfif qUserListing.RecordCount GT 0 AND Compare(form.userpass, qUserListing.userpass) EQUAL 0>
        <cfif qUserlisting.aactive EQUAL 1>
            <cfset loggedin = 1>
            <cfcookie name="userid" expires="now">
            <cfcookie name="userpass" expires="now">
            <cfcookie name="userid" value="#qUserListing.id#" expires="never">
            <cfcookie name="userpass" value="#qUserListing.userpass#" expires="never">
            <cfif isDefined("act") AND act EQUAL "login">
                <cflocation url="#normallink#index.cfm" addtoken="no">
            </cfif>
        <cfelse>
            <cfset invalidlogin = "notactive">
        </cfif>
    <cfelse>
        <cfset invalidlogin = "nomatch">
    </cfif>
</cfif>

Every time a page loads on my website, this is the code that executes to check and see if a user is logged in:

<cfif isDefined("Cookie.userid") AND isDefined("Cookie.userpass")>

<cfquery name="qUserListing" datasource="#datasource#">
    SELECT *
    FROM userlisting
    WHERE id = '#Cookie.userid#' AND userpass = '#Cookie.userpass#'
</cfquery>
<cfif qUserListing.RecordCount GT 0 AND Compare(Cookie.userpass, qUserListing.userpass) EQUAL 0>
<cfset loggedin = 1>

Is this a secure way to do things? I feel like since the user is passing a cookie to my website with valueable information in it, it isnt very secure. How would I go about doing this in a more secure fashion? Are session variables what I should use instead?

Thanks,

Ben

Report · Mar 11, 2010

Session variables would be slightly better as it would limit the time window of opportunity to hijack a users session. With you passing the login creditionals in cookies then if they are intercepted the hacker would have information he needs to log in at any time. If this information was in session variables and only the session id tokens where passed in the cookies. Then the opportunity to access the site only exists until the session time outs. This is 20 minutes of inactivity by a user by default, but this timeout can be configured to whatever value is appropriate for your application.

But the real answer to your conundrum is that if security is of concern for your application, then you should not be passing any values back and forth in un-encrypted cookies. The normal way to encrypt the communications between your web server and the client is with SSL.

Report · Mar 11, 2010

I figured this one out. I was unaware that Coldfusion had encrypt, decrypt, and generateEncryptionKey functions