Thursday, February 10, 2011

Security Hot-Fix update for ColdFusion and Session

With the recent Security Hot-Fix for ColdFusion, an important vulnerability is fixed - Session Fixation.


Previous behavior with out the Hot-Fix - One can create a ColdFusion session with self provided CFID and CFTOKEN and then mail a victim customer a URL with those tokens. Now both of them can use same session.


Earlier if one has two different Applications in sub directories for both the applications Session tokens for ColdFusion Session used to be same thus both Applications will work fine with in the same browser.


Now after applying the hot-fix,  If user wants to support such different Applications with sub directories, they can set session Cookies with Domain and path.


Example: 


For second application in sub Directory do this in OnSessionStart - 


 <cfcookie name="CFID" value="SESSION.CFID" path="/subdir">
 <cfcookie name="CFTOKEN" value="SESSION.CFTOKEN" path="/subdir"> 




Hope this was helpful.

8 comments:

  1. Hi,
    It looks like your code examples are missing. We're experiencing the same issue.

    ReplyDelete
  2. Hi,

    Thanks a lot. It got missed because of use of <>.
    I have fixed this. Hope this helps.

    ReplyDelete
  3. Your fix is working for me, thanks!
    I posted about it on Ray's blog here:
    http://www.coldfusionjedi.com/index.cfm/2011/2/8/Security-Bulletin-for-ColdFusion#cCFBF4705-C79B-6CB4-B2BEFCC0CE86D5DC

    ReplyDelete
  4. Shilpi, if you add the path attribute to cfcookie then the domain attribute is also required. Your sample only has the path.

    I can also confirm the fix works, but I'm having to go through a lot of apps where sessions are being broken. Can someone at Adobe please make sure a note or warning is added to the Security Fix technote so people are aware that they need to change their code after applying the Security Fix.

    Thank you.

    ReplyDelete
  5. Since installing the Security Fix we have been inundated with customers who are apparently losing their session. It seems that for certain users a new cfid/cftoken is being created on every request, despite no changes to session timeouts etc, and using the domain/path cookies approach as recommended. Clearing the cfid/cftoken cookies so they get recreated by onsessionstart seems to fix it although only temporarily.

    I am loathe to roll back such an important update but we've had to do so as it's causing too much trouble.

    ReplyDelete
  6. Please check out latest update on Security Hot-Fix for ColdFusion.

    ReplyDelete
  7. Still doesn't work for us I'm afraid. But the new JVM switch is helpful and has meant we haven't had to roll back the whole HF.

    ReplyDelete

You can subscribe to the comments by licking on "Subscribe by email".