CFID and CFTOKEN still set when using J2EE sessions

Report · Jun 20, 2014

I'm using CF10 and "Use J2EE session variables" is selected in the CF admin.

When I visit an application, I get the JSESSIONID cookie, but I also get the CFID and CFTOKEN persistent cookies. The app I'm working with is older and uses Application.cfm instead of Application.cfc, but the clientmanagement and setclientcookies application attributes are set to false.

I'm not sure why CFID and CFTOKEN are still set. Are they set regardless of the client and session management settings?

Report · Jun 20, 2014

Hello!

Yes, are set...

I can not say exactly why remains the CFID CFTOKEN and the cookie but I know that even with them there you can only capture and enjoy a session, including the session traker API, via jsessionid. Have made myself this question and the only conclusion I reached was that the CF should create linkages within the internal structure linking it somehow to the jsessionid but as the tract of a session CFID CFTOKEN and has no influence on the session available to the user.

Report · Jun 20, 2014

When you opt to use J2EE session management, the cookie scope includes the variables cookie.jsessionid, cookie.CFID and cookie.CFToken. I do believe that that is just how ColdFusion plays it.

Report · Jun 23, 2014

Thanks to both Eduardo and BKBK for the replies.

As Eduardo mentioned, when using J2EE session management, CFID and CFTOKEN do not appear to be connected to the session. By creating a session in one browser and manipulating the cookies in a 2nd browser, I was able to steal the session using jsessionid but not with CFID and CFTOKEN.

The CFID and CFTOKEN cookies are flagged by security auditing software as a vulnerability because they are persistent, not session, cookies. Is there any way to force CF to set CFID and CFTOKEN as session cookies instead?

Report · Jun 23, 2014

cherdt wrote:

The CFID and CFTOKEN cookies are flagged by security auditing software as a vulnerability because they are persistent, not session, cookies.

The auditing software must be giving you a false positive. In my opinion, CFID and CFTOKEN cookies are non-persistent, and cannot outlast the session in which they are created.

Report · Jun 23, 2014

cherdt

There are ways to force the CF create cookies SESSION simply change the cfcookie to be a session cookie and tag you find these two links:

http://www.bennadel.com/blog/1131-ask-ben-ending-coldfusion-session-when-user-closes-browser.htm

http://www.johnwbartlett.com/cf_tipsntricks/index.cfm?TopicID=75

BKBK

I agree with his statement and is so even though the documentation says.

Report · Jun 24, 2014

When I followed Ben Nadel's post on forcing the CFID and CFTOKEN as session cookies, I found that those cookies are not set at all if the the application's SetClientCookies property is set to a false value:

<cfset THIS.SetClientCookies = "No">

As the docs (well, the CF8 docs that Google found) point out, the default value for SetClientCookies is true, so that's why I was getting CFID and CFTOKEN.

Thanks for pointing me in the right direction!

Adobe Community

CFID and CFTOKEN still set when using J2EE sessions

1 Correct answer