Highlighted

real use of CFID and CFTOKEN

Explorer ,
Sep 09, 2014

Copy link to clipboard

Copied

Hi All,

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use. So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??. These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

Any thoughts on this.

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

You raise a number of questions.

Abdul L Koyappayil wrote:

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

Not wrong, but with one addition. The new session has a CFID of 101. That is relevant.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use.

Even if you don't use CFID and CFToken explicitly in your code, Coldfusion will use the cookies in the background to communicate with browsers. I am assuming, of course, that session management is enabled.

So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??.

Communication via HTTP(S) is stateless. This means that servers are so designed that they have no obligation to remember or to store any details about the client's request.

One implication of this is that, by default, every new request to the ColdFusion server will start a new session. With merely 10 000 clients, each making on average 100 requests, ColdFusion will generate a million unrelated sessions, which it will temporarily hold in memory. Clearly, one session per request is inefficient. Hence the need for session management.

Session management is a mechanism for uniquely identifying and grouping requests that belong together, for example, the requests from a particular client at a particular time. This effectively creates a stateful protocol on top of the HTTP(S) communication.

ColdFusion manages session typically by means of cookies. Cookies uniquely identify the client, and keep track of his requests, as he navigates from one request to the next. The real use of CFID and CFToken is to maintain a user's session in this way. ( If cookies are disabled, then you must pass the CFID and CFToken values in the URL to maintain session)

These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

As Steve Sommers said in your previous thread, you can safely ignore the warning from the PCI scanner. The reason why the scanner flags ColdFusion's session cookies as vulnerable is that it detects CFID as being sequential, hence predictable. Rightly, too. (Recall my earlier remark about 101.) However, the scanner is unaware that CFID is just one part of a double-act, and that both CFID and CFToken are obligatory in the definition of a ColdFusion session.

CFToken happens to be random and unique enough to be secure, and so the combination of CFID and CFToken is secure. You could therefore use them, in place of the JsessionID cookie, to maintain session. That answers your immediate question.

Nevertheless, a complication might arise if you use client variables as well. This excerpt from the Adobe documentation on 'Managing the client state' says it all:

Providing Session security

ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user’s browser. These cookies persist until the client’s browser deletes them, which can be a considerable length of time. As a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each session.

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

TOPICS
Security

Views

4.6K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

real use of CFID and CFTOKEN

Explorer ,
Sep 09, 2014

Copy link to clipboard

Copied

Hi All,

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use. So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??. These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

Any thoughts on this.

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

You raise a number of questions.

Abdul L Koyappayil wrote:

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

Not wrong, but with one addition. The new session has a CFID of 101. That is relevant.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use.

Even if you don't use CFID and CFToken explicitly in your code, Coldfusion will use the cookies in the background to communicate with browsers. I am assuming, of course, that session management is enabled.

So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??.

Communication via HTTP(S) is stateless. This means that servers are so designed that they have no obligation to remember or to store any details about the client's request.

One implication of this is that, by default, every new request to the ColdFusion server will start a new session. With merely 10 000 clients, each making on average 100 requests, ColdFusion will generate a million unrelated sessions, which it will temporarily hold in memory. Clearly, one session per request is inefficient. Hence the need for session management.

Session management is a mechanism for uniquely identifying and grouping requests that belong together, for example, the requests from a particular client at a particular time. This effectively creates a stateful protocol on top of the HTTP(S) communication.

ColdFusion manages session typically by means of cookies. Cookies uniquely identify the client, and keep track of his requests, as he navigates from one request to the next. The real use of CFID and CFToken is to maintain a user's session in this way. ( If cookies are disabled, then you must pass the CFID and CFToken values in the URL to maintain session)

These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

As Steve Sommers said in your previous thread, you can safely ignore the warning from the PCI scanner. The reason why the scanner flags ColdFusion's session cookies as vulnerable is that it detects CFID as being sequential, hence predictable. Rightly, too. (Recall my earlier remark about 101.) However, the scanner is unaware that CFID is just one part of a double-act, and that both CFID and CFToken are obligatory in the definition of a ColdFusion session.

CFToken happens to be random and unique enough to be secure, and so the combination of CFID and CFToken is secure. You could therefore use them, in place of the JsessionID cookie, to maintain session. That answers your immediate question.

Nevertheless, a complication might arise if you use client variables as well. This excerpt from the Adobe documentation on 'Managing the client state' says it all:

Providing Session security

ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user’s browser. These cookies persist until the client’s browser deletes them, which can be a considerable length of time. As a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each session.

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

TOPICS
Security

Views

4.6K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 09, 2014 0
Adobe Community Professional ,
Sep 10, 2014

Copy link to clipboard

Copied

You raise a number of questions.

Abdul L Koyappayil wrote:

Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

Not wrong, but with one addition. The new session has a CFID of 101. That is relevant.

I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use.

Even if you don't use CFID and CFToken explicitly in your code, Coldfusion will use the cookies in the background to communicate with browsers. I am assuming, of course, that session management is enabled.

So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??.

Communication via HTTP(S) is stateless. This means that servers are so designed that they have no obligation to remember or to store any details about the client's request.

One implication of this is that, by default, every new request to the ColdFusion server will start a new session. With merely 10 000 clients, each making on average 100 requests, ColdFusion will generate a million unrelated sessions, which it will temporarily hold in memory. Clearly, one session per request is inefficient. Hence the need for session management.

Session management is a mechanism for uniquely identifying and grouping requests that belong together, for example, the requests from a particular client at a particular time. This effectively creates a stateful protocol on top of the HTTP(S) communication.

ColdFusion manages session typically by means of cookies. Cookies uniquely identify the client, and keep track of his requests, as he navigates from one request to the next. The real use of CFID and CFToken is to maintain a user's session in this way. ( If cookies are disabled, then you must pass the CFID and CFToken values in the URL to maintain session)

These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

As Steve Sommers said in your previous thread, you can safely ignore the warning from the PCI scanner. The reason why the scanner flags ColdFusion's session cookies as vulnerable is that it detects CFID as being sequential, hence predictable. Rightly, too. (Recall my earlier remark about 101.) However, the scanner is unaware that CFID is just one part of a double-act, and that both CFID and CFToken are obligatory in the definition of a ColdFusion session.

CFToken happens to be random and unique enough to be secure, and so the combination of CFID and CFToken is secure. You could therefore use them, in place of the JsessionID cookie, to maintain session. That answers your immediate question.

Nevertheless, a complication might arise if you use client variables as well. This excerpt from the Adobe documentation on 'Managing the client state' says it all:

Providing Session security

ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user’s browser. These cookies persist until the client’s browser deletes them, which can be a considerable length of time. As a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each session.

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 10, 2014 0
Most Valuable Participant ,
Sep 10, 2014

Copy link to clipboard

Copied

BKBK captured the issues very well.  One further note - you can increase the security of the session cookies by using the httponly feature introduced in CF9.  This Adove Devnet article explains how it works and how to implement it.  Basically, using httponly cookies prevents JavaScript access to the cookies, protecting against some forms of cross-site scripting (XSS) attacks.j

-Carl V.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 10, 2014 0
Explorer ,
Sep 15, 2014

Copy link to clipboard

Copied

Thanks for your detailed explanations. I understood.

BKBK wrote:

You raise a number of questions.

BK, the forumn is used for asking questions and to discuss those questions among many people. Right?? .......

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2014 0
Adobe Community Professional ,
Sep 15, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

BK, the forumn is used for asking questions and to discuss those questions among many people. Right?? .......

Right. "You raise a number of questions" is simply a bridge to the answers I wished to contribute. I intended nothing else.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2014 0
Explorer ,
Sep 15, 2014

Copy link to clipboard

Copied

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2014 0
Adobe Community Professional ,
Sep 15, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Should you have further questions, please do bring them to the forum. A forum without questions is a bazaar without merchandise.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2014 1
Explorer ,
Sep 15, 2014

Copy link to clipboard

Copied

I have posted a separate question -How to secure CFGLOBALS cookie ... can you pls look into it. Will be much helpful

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 15, 2014 0