Highlighted

We need help with Insufficient session expiration

Explorer ,
Jun 03, 2020

Copy link to clipboard

Copied

Hi,

We have received a report from our security scanner contractor (SSC) who is testing our application for vulnerabilities with new warning as per subject "Insufficient session expiration".

 

The user logged on to application concurrently two times with the same user credentials. Both sessions are using Chrome and, one of the session is Incognito window. 

 

Then, after changing password in one of the sessions (non incognito), the application logged the user out and redirected to login page.

The security requiremets as per SSC, all the sessions opened for the user must be logged out.

Is it possible?

 

We are using CF2016 on Windows Server 2008 R2.

CF is configured to use J2EE session.

I tried different methods to invalidate/delete the session and, nothing seem to work for both sessions. Only one session is logged out.

 

Our logout function is using following to delete a session:

<CFSET StructClear(SESSION)>
<cfcookie name="CFID" value="" expires="now">
<cfcookie name="CFTOKEN" value="" expires="now">
<cfset sessionInvalidate()>
<cfset getPageContext().getSession().invalidate()>

 

After loggin in to both sessions, I checked session tokens and id's, they do not match. How can I delete both sessions? 

 

Thank you,

Gena

 

Views

782

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

We need help with Insufficient session expiration

Explorer ,
Jun 03, 2020

Copy link to clipboard

Copied

Hi,

We have received a report from our security scanner contractor (SSC) who is testing our application for vulnerabilities with new warning as per subject "Insufficient session expiration".

 

The user logged on to application concurrently two times with the same user credentials. Both sessions are using Chrome and, one of the session is Incognito window. 

 

Then, after changing password in one of the sessions (non incognito), the application logged the user out and redirected to login page.

The security requiremets as per SSC, all the sessions opened for the user must be logged out.

Is it possible?

 

We are using CF2016 on Windows Server 2008 R2.

CF is configured to use J2EE session.

I tried different methods to invalidate/delete the session and, nothing seem to work for both sessions. Only one session is logged out.

 

Our logout function is using following to delete a session:

<CFSET StructClear(SESSION)>
<cfcookie name="CFID" value="" expires="now">
<cfcookie name="CFTOKEN" value="" expires="now">
<cfset sessionInvalidate()>
<cfset getPageContext().getSession().invalidate()>

 

After loggin in to both sessions, I checked session tokens and id's, they do not match. How can I delete both sessions? 

 

Thank you,

Gena

 

Views

783

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jun 03, 2020 0
LEGEND ,
Jun 03, 2020

Copy link to clipboard

Copied

Hi, Genadi,

 

According to the help page for invalidateSession, J2EE sessions are not invalidated.

 

HTH,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 03, 2020 0
Explorer ,
Jun 03, 2020

Copy link to clipboard

Copied

Your link is not working. However, according to the link below, getPageContext().getSession().invalidate() invalidates the session... In fact when I dump the session before and after I execute logout script, all the session data is gone. The challenge is that another session in second browser for the same user name still exist. So, my question is, is there way to delete that session too?

 

https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/using-persis...

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 03, 2020 0
LEGEND ,
Jun 03, 2020

Copy link to clipboard

Copied

You can't see it, but I'm facepalming myself, right now.  Copied the wrong URL.  Here is the one I was talking about.

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-s/sessioninvalidate...

 

According to the link you provided:

"Always use the cflogout tag to log out users."

 

HTH,

 

^ _ ^

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 03, 2020 0
Explorer ,
Jun 04, 2020

Copy link to clipboard

Copied

Oh ok. Yes, it does not invalidate J2EE. Thats why I am using <cfset getPageContext().getSession().invalidate()>

Still doesn't work for me. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 04, 2020 0
Adobe Community Professional ,
Jun 03, 2020

Copy link to clipboard

Copied

I think the functionality you require isn't built-in in ColdFusion. In fact, the default scenario of most application servers is to grant you a session whenever you successfully log in. Nevertheless, it is relatively easy to implement your at-most-one-session requirement yourself.

 

From what you describe you've covered the main ground already: your logout function invalidates the session. That is key.

 

As you are security-conscious, I shall assume that you log every login attempt - successful as well as unsuccessful - in the database. You should also log login and logout times. Using such information you could easily implement what you want as follows.

 

During login validation, check whether the (username, password) combination is currently logged in. If so, then validation fails. That is, don't log the user in. Inform the user that he or she is currently logged in and that only one session is allowed.     

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 03, 2020 0
Adobe Community Professional ,
Jun 04, 2020

Copy link to clipboard

Copied

I think the problem here is that you're going to need something outside the session to track and manage the sessions for an individual user. You're starting out with two separate sessions tied to the same user. Logging out of one session doesn't affect the other. Personally, I don't really think that's a serious security risk, but I can see some potential cases where it could be maliciously used.

 

So, you'll need some other persistent storage, like a database table, where you track logged-in users. When a user logs out, you'll need to set a flag there. On every page load for that user (presumably you'd store a user identifier in the session as a separate variable), you'd need to check for that flag.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 04, 2020 0