Skip to main content
G
genadi_mak
Inspiring
June 3, 2020
Question

We need help with Insufficient session expiration

  • June 3, 2020
  • 4 replies
  • 1211 views

Hi,

We have received a report from our security scanner contractor (SSC) who is testing our application for vulnerabilities with new warning as per subject "Insufficient session expiration".

 

The user logged on to application concurrently two times with the same user credentials. Both sessions are using Chrome and, one of the session is Incognito window. 

 

Then, after changing password in one of the sessions (non incognito), the application logged the user out and redirected to login page.

The security requiremets as per SSC, all the sessions opened for the user must be logged out.

Is it possible?

 

We are using CF2016 on Windows Server 2008 R2.

CF is configured to use J2EE session.

I tried different methods to invalidate/delete the session and, nothing seem to work for both sessions. Only one session is logged out.

 

Our logout function is using following to delete a session:

<CFSET StructClear(SESSION)>
<cfcookie name="CFID" value="" expires="now">
<cfcookie name="CFTOKEN" value="" expires="now">
<cfset sessionInvalidate()>
<cfset getPageContext().getSession().invalidate()>

 

After loggin in to both sessions, I checked session tokens and id's, they do not match. How can I delete both sessions? 

 

Thank you,

Gena

 

    This topic has been closed for replies.

    4 replies

    D
    Dave Watts
    Adobe Expert
    June 4, 2020

    I think the problem here is that you're going to need something outside the session to track and manage the sessions for an individual user. You're starting out with two separate sessions tied to the same user. Logging out of one session doesn't affect the other. Personally, I don't really think that's a serious security risk, but I can see some potential cases where it could be maliciously used.

     

    So, you'll need some other persistent storage, like a database table, where you track logged-in users. When a user logs out, you'll need to set a flag there. On every page load for that user (presumably you'd store a user identifier in the session as a separate variable), you'd need to check for that flag.

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    BKBK
    BKBK
    Adobe Expert
    June 3, 2020

    I think the functionality you require isn't built-in in ColdFusion. In fact, the default scenario of most application servers is to grant you a session whenever you successfully log in. Nevertheless, it is relatively easy to implement your at-most-one-session requirement yourself.

     

    From what you describe you've covered the main ground already: your logout function invalidates the session. That is key.

     

    As you are security-conscious, I shall assume that you log every login attempt - successful as well as unsuccessful - in the database. You should also log login and logout times. Using such information you could easily implement what you want as follows.

     

    During login validation, check whether the (username, password) combination is currently logged in. If so, then validation fails. That is, don't log the user in. Inform the user that he or she is currently logged in and that only one session is allowed.     

    WolfShade
    WolfShade
    Brainiac
    June 3, 2020

    You can't see it, but I'm facepalming myself, right now.  Copied the wrong URL.  Here is the one I was talking about.

    https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-s/sessioninvalidate.html

     

    According to the link you provided:

    "Always use the cflogout tag to log out users."

     

    HTH,

     

    ^ _ ^

     

     

    G
    genadi_makAuthor
    Inspiring
    June 4, 2020

    Oh ok. Yes, it does not invalidate J2EE. Thats why I am using <cfset getPageContext().getSession().invalidate()>

    Still doesn't work for me. 

    WolfShade
    WolfShade
    Brainiac
    June 3, 2020

    Hi, Genadi,

     

    According to the help page for invalidateSession, J2EE sessions are not invalidated.

     

    HTH,

     

    ^ _ ^

    G
    genadi_makAuthor
    Inspiring
    June 3, 2020

    Your link is not working. However, according to the link below, getPageContext().getSession().invalidate() invalidates the session... In fact when I dump the session before and after I execute logout script, all the session data is gone. The challenge is that another session in second browser for the same user name still exist. So, my question is, is there way to delete that session too?

     

    https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/using-persistent-data-and-locking/configuring-and-using-session-variables.html

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices