We need help with Insufficient session expiration

Report · Jun 03, 2020

Hi,

We have received a report from our security scanner contractor (SSC) who is testing our application for vulnerabilities with new warning as per subject "Insufficient session expiration".

The user logged on to application concurrently two times with the same user credentials. Both sessions are using Chrome and, one of the session is Incognito window.

Then, after changing password in one of the sessions (non incognito), the application logged the user out and redirected to login page.

The security requiremets as per SSC, all the sessions opened for the user must be logged out.

Is it possible?

We are using CF2016 on Windows Server 2008 R2.

CF is configured to use J2EE session.

I tried different methods to invalidate/delete the session and, nothing seem to work for both sessions. Only one session is logged out.

Our logout function is using following to delete a session:

After loggin in to both sessions, I checked session tokens and id's, they do not match. How can I delete both sessions?

Thank you,

Gena

Report · Jun 03, 2020

Hi, Genadi,

According to the help page for invalidateSession, J2EE sessions are not invalidated.

HTH,

^ _ ^

Report · Jun 03, 2020

Your link is not working. However, according to the link below, getPageContext().getSession().invalidate() invalidates the session... In fact when I dump the session before and after I execute logout script, all the session data is gone. The challenge is that another session in second browser for the same user name still exist. So, my question is, is there way to delete that session too?

https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/using-persis...

Report · Jun 03, 2020

You can't see it, but I'm facepalming myself, right now. Copied the wrong URL. Here is the one I was talking about.

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-s/sessioninvalidate...

According to the link you provided:

"Always use the cflogout tag to log out users."

HTH,

^ _ ^

Report · Jun 04, 2020

Oh ok. Yes, it does not invalidate J2EE. Thats why I am using <cfset getPageContext().getSession().invalidate()>

Still doesn't work for me.

Report · Jun 03, 2020

I think the functionality you require isn't built-in in ColdFusion. In fact, the default scenario of most application servers is to grant you a session whenever you successfully log in. Nevertheless, it is relatively easy to implement your at-most-one-session requirement yourself.

From what you describe you've covered the main ground already: your logout function invalidates the session. That is key.

As you are security-conscious, I shall assume that you log every login attempt - successful as well as unsuccessful - in the database. You should also log login and logout times. Using such information you could easily implement what you want as follows.

During login validation, check whether the (username, password) combination is currently logged in. If so, then validation fails. That is, don't log the user in. Inform the user that he or she is currently logged in and that only one session is allowed.

Report · Jun 04, 2020

I think the problem here is that you're going to need something outside the session to track and manage the sessions for an individual user. You're starting out with two separate sessions tied to the same user. Logging out of one session doesn't affect the other. Personally, I don't really think that's a serious security risk, but I can see some potential cases where it could be maliciously used.

So, you'll need some other persistent storage, like a database table, where you track logged-in users. When a user logs out, you'll need to set a flag there. On every page load for that user (presumably you'd store a user identifier in the session as a separate variable), you'd need to check for that flag.

Dave Watts, Eidolon LLC