Highlighted

CFID and CFTOKEN still set when using J2EE sessions

Participant ,
Jun 20, 2014

Copy link to clipboard

Copied

I'm using CF10 and "Use J2EE session variables" is selected in the CF admin.

When I visit an application, I get the JSESSIONID cookie, but I also get the CFID and CFTOKEN persistent cookies. The app I'm working with is older and uses Application.cfm instead of Application.cfc, but the clientmanagement and setclientcookies application attributes are set to false.

I'm not sure why CFID and CFTOKEN are still set. Are they set regardless of the client and session management settings?

When I followed Ben Nadel's post on forcing the CFID and CFTOKEN as session cookies, I found that those cookies are not set at all if the the application's SetClientCookies property is set to a false value:

<cfset THIS.SetClientCookies = "No">

As the docs (well, the CF8 docs that Google found) point out, the default value for SetClientCookies is true, so that's why I was getting CFID and CFTOKEN.

Thanks for pointing me in the right direction!

Views

1.3K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

CFID and CFTOKEN still set when using J2EE sessions

Participant ,
Jun 20, 2014

Copy link to clipboard

Copied

I'm using CF10 and "Use J2EE session variables" is selected in the CF admin.

When I visit an application, I get the JSESSIONID cookie, but I also get the CFID and CFTOKEN persistent cookies. The app I'm working with is older and uses Application.cfm instead of Application.cfc, but the clientmanagement and setclientcookies application attributes are set to false.

I'm not sure why CFID and CFTOKEN are still set. Are they set regardless of the client and session management settings?

When I followed Ben Nadel's post on forcing the CFID and CFTOKEN as session cookies, I found that those cookies are not set at all if the the application's SetClientCookies property is set to a false value:

<cfset THIS.SetClientCookies = "No">

As the docs (well, the CF8 docs that Google found) point out, the default value for SetClientCookies is true, so that's why I was getting CFID and CFTOKEN.

Thanks for pointing me in the right direction!

Views

1.3K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jun 20, 2014 0
Community Beginner ,
Jun 20, 2014

Copy link to clipboard

Copied

Hello!

Yes, are set...

I can not say exactly why remains the CFID CFTOKEN and the cookie but I know that even with them there you can only capture and enjoy a session, including the session traker API, via jsessionid. Have made myself this question and the only conclusion I reached was that the CF should create linkages within the internal structure linking it somehow to the jsessionid but as the tract of a session CFID CFTOKEN and has no influence on the session available to the user.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 20, 2014 0
Adobe Community Professional ,
Jun 20, 2014

Copy link to clipboard

Copied

When you opt to use J2EE session management, the cookie scope includes the variables cookie.jsessionid, cookie.CFID and cookie.CFToken. I do believe that that is just how ColdFusion plays it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 20, 2014 1
Participant ,
Jun 23, 2014

Copy link to clipboard

Copied

Thanks to both Eduardo and BKBK for the replies.

As Eduardo mentioned, when using J2EE session management, CFID and CFTOKEN do not appear to be connected to the session. By creating a session in one browser and manipulating the cookies in a 2nd browser, I was able to steal the session using jsessionid but not with CFID and CFTOKEN.

The CFID and CFTOKEN cookies are flagged by security auditing software as a vulnerability because they are persistent, not session, cookies. Is there any way to force CF to set CFID and CFTOKEN as session cookies instead?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 23, 2014 0
Adobe Community Professional ,
Jun 23, 2014

Copy link to clipboard

Copied

cherdt wrote:

The CFID and CFTOKEN cookies are flagged by security auditing software as a vulnerability because they are persistent, not session, cookies.

The auditing software must be giving you a false positive. In my opinion, CFID and CFTOKEN cookies are non-persistent, and cannot outlast the session in which they are created.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 23, 2014 0
Community Beginner ,
Jun 23, 2014

Copy link to clipboard

Copied

cherdt

There are ways to force the CF create cookies SESSION simply change the cfcookie to be a session cookie and tag you find these two links:

http://www.bennadel.com/blog/1131-ask-ben-ending-coldfusion-session-when-user-closes-browser.htm

http://www.johnwbartlett.com/cf_tipsntricks/index.cfm?TopicID=75

BKBK

I agree with his statement and is so even though the documentation says.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 23, 2014 0
Participant ,
Jun 24, 2014

Copy link to clipboard

Copied

When I followed Ben Nadel's post on forcing the CFID and CFTOKEN as session cookies, I found that those cookies are not set at all if the the application's SetClientCookies property is set to a false value:

<cfset THIS.SetClientCookies = "No">

As the docs (well, the CF8 docs that Google found) point out, the default value for SetClientCookies is true, so that's why I was getting CFID and CFTOKEN.

Thanks for pointing me in the right direction!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 24, 2014 1