switching from cookie storage to client storage

Report · Jan 03, 2020

Recently my app was scanned for vulnerabilities and I was flagged for a few - mostly pertaining to the client variables and the assoicated cookies. Specifically with a cookie being utilized called CFClient_SMITH (let's just say that my application is called SMITH). My hosting site does not allow session variables, so I must use client variables. Evidently because there is not client storage set, all of the client varaibles are now being stored in the CFClient_SMITH and are available for the picking. I am getting nailed for Privilege Escalation, User Impersonation, Forced browsing - just to name a few.

I was told that by naming a clientstorage value this would eliminate this issue. The hosting group told me to use a specific clientstorage value (let's say APPLE) and to set the client cookies to no as shown below:

<cfapplication name="SMITH"

applicationtimeout="#createTimeSpan(0,4,0,0)#"

clientmanagement="Yes"

setclientcookies="No"

setdomaincookies="yes"

clientstorage="apple"

sessionmanagement="No"

scriptprotect="all"

So I thought that was all I needed, but the website worked in IE 11 but not in FireFox and Chrome.

My question is - is this the correct approach? And if yes, then I assume that I now need to go back into all of the code and append the cookies to the pages that really need them to be passed to using:

Any help and guidance you can provide is greatly appreciated!

Libby Hornbostel

Report · Jan 03, 2020

You don't need to use the setclientcookies=no to solve your problem. That's what's making you think you'd have to pass the session id's on each request.

And it is NOT what is causing the colors with all the client variable values. That will be stopped once you use that clientstorage pointing to a db.

But do be sure to delete the existing cookies to see the difference take effect. (That's probably why it seemed to "work"on one browser and not another, if the failing ones already had cf cookies set for the app.)

Let us know how it goes.

/Charlie (troubleshooter, carehart.org)

Report · Jan 07, 2020

Hi Libby,

First off, I agree with Charlie that database storage is your best option. It's either that, or storage in the registry. But this latter option is universally considered to be unacceptable. For one thing, storing ColdFusion client data in the registry can have adverse impact on the Operating System.

Assuming apple is a datasource containing tables that are correctly configured for ColdFusion client-variables, then the following settings are sufficient:

<cfapplication name="SMITH"

applicationtimeout="#createTimeSpan(0,4,0,0)#"

clientmanagement="yes"

clientstorage="apple"

setclientcookies="no"

setdomaincookies="no"

sessionmanagement="no"

scriptprotect="all">

Report · Jan 07, 2020

Sure, you still show using setclientcookies=no, which I'd argue we should not. To be clear, that's not what controls whether cf stores client variables IN cookies (the point of the original question). That's the clientstorage attribute.

For interested readers, I will repeat that Setclientcookies simply controls whether cf should use cookie to TRACK that a browser is connected to cf with the cfid/cftoken cookies, for use with either cf client or session vars. If you turn it off this way, then you need to pass the cfid/cftoken yourself on every request. That's an old approach from the days when some browsers or orgs did not support ANY cookies.

/Charlie (troubleshooter, carehart.org)

Report · Jan 08, 2020

Just an oversight, Charlie.

Libby, that should in fact read:

<cfapplication name="SMITH"
applicationtimeout="#createTimeSpan(0,4,0,0)#"
clientmanagement="yes"
clientstorage="apple"
setclientcookies="yes"
setdomaincookies="no"
sessionmanagement="no"
scriptprotect="all">

Report · Jan 09, 2020

Charlie Arehart and BKBK -

Thank you for you help!

For your comment "do be sure to delete the existing cookies" - I assume that can be accomplished by recycling the CF instance? Or is there something needed more than that?

Thank you again for your help!

Libby H

Report · Jan 09, 2020

Nope, I mean in the browser. That's why I said there also that if it worked, it could explain why you experienced different results in different browsers. Each browser has its own cookies for your cf site.

By clearing them in the browser, you cause it to obtain the "right" cookies--for the current configuration in cf, that you have now enabled (per the changes we proposed).

As for how to clear them, there are various ways in the different browsers, letting you clear one or all for a given site, or clearing all for all sites (usually overkill). Google can get you the right solution for your browser.

Let us know how it goes.

/Charlie (troubleshooter, carehart.org)

Report · Jan 12, 2020

So how did things turn out, Libby?

/Charlie (troubleshooter, carehart.org)

Report · Jan 12, 2020

Libby, I now see something more.

1) If you're using sub-domains (say, subDomain1.yourDomain.com and subDomain2.yourDomain.com) and you want the client variables to apply to them all, then set

setdomaincookies="yes"

2) You could delete the old cookies simply by overwriting them with the current values. For example, by using something like this in Application.cfm:

<cfparam name="client.isCookieRefreshed" default="false" type="boolean">

<cfif not client.isCookieRefreshed><!--- Refresh cookies --->
	<cfcookie name="CFClient_SMITH" value="new_cookie_value">
        <cfcookie name="cfid" value="#client.cfid#">
	<cfcookie name="cftoken" value="#client.cftoken#">
	
	<!--- Alternatively, where the client variables apply to sub-domains --->
	<!---
	<cfcookie name="CFClient_SMITH" domain=".yourDomain.com" value="new_cookie_value">
        <cfcookie name="cfid" value="#client.cfid#" domain=".yourDomain.com">
	<cfcookie name="cftoken" value="#client.cftoken#" domain=".yourDomain.com">
	--->
	
	<cfset client.isCookieRefreshed = true>
</cfif>

Adobe Community

switching from cookie storage to client storage