Before talking about the improvements that are done in ColdFusion 10, Let's see in brief what is session managements, why these cookies exists.
In simple words Session management is a way to use web applications in a more structured manner, where not every time you need to tell who you are. When the first request is received by a server, there is a token generated, which is then shared between client and server on each request there after.
Now this token, can be anything. But to make it secure it should be randomized enough so that it is not easily guessable. So now that we have this token, the question is how to share this token safely between client and server.
To store this token there can be multiple ways to do it, one can append this token(s) in the URL, or store it in the client side as cookies. These tokens are not very safe on URL and any one can read them and then use. Remember it is your identity to the server. As far as cookies are concerned, they can be made secure enough. How to do this is what we will discuss today.
For ColdFusion sessions, there are two tokens CFID and CFTOKEN. CFTOKEN is randominzed in ColdFusion 10 by default. Remember the option "Use UUID for cftoken" on CF Administrator -> Settings. This is by default checked now.
Cookies are by default not so secure. They are vulnerable for various reasons. Like, cookies are stored in plain text, they can be modified by user, they can sit on your server for long time, they can be accessed by java script etc. So if cookies are also insecure, what should we do. fortunately there are configurations that can make cookies secure. We will now discuss what those configurations are and how to enable/set them in CF10.
If you are already aware of these,
click here to see the solution right a way.
For any Cookie apart from its name, value, there are few which can be used to secure session easily. These are -
- Expires: Time after which the cookies should be deleted from browser or its persistent store. A "0" value indicates, expire now, a negative value like "-1" suggests to keep it forever.
- Domain: Domain is related to the URL for which or its sub domain the given cookie should be accessible. Example: for URL www.shilpikm.coldfusion.adobe.com, the domain can be set as *.coldfusion.adobe.com or *.adobe.com. One should always set least privileged domain depending on application.
- Path: Cookies can also be distinguished on pages within domain. Example: www.shilpikm.coldfusion.adobe.com/ and www.shilpikm.coldfusion.adobe.com/test/index.cfm. Now if we want 2 separate cookies for these two urls, path attribute can be set to "/" and "/test" respectively.
- HttpOnly: As I mentioned cookies can be accessed by Java script. This can be misused very dangerously. However for cookies context, if the flag HttpOnly is set on a cookie, that cookie will not be accessible to any js. Hence protected against Cross Site Scripting (XSS) attack. I will discuss XSS in details in the upcoming posts.
- Secure: For web applications running on Https, secure flag should be set on cookies. Secure flag enables the cookies should be sent only for encrypted requests. Hence prevents against cookie stealing.
How to configure these in ColdFusion 10:
Now let's set some of these for CF session cookies settings and see how quick it is in ColdFusion 10. There are 3 ways to do it -
1.
Server Level settings using Administrator:
On Administrator Console -> Memory Variables page, there is a new section "Session Cookie Settings".
This is the same page where other session related settings can be done. Here You can specify cookie timeout (expires), httpOnly, and secure flag for all the applications on this server.
You must have noticed another setting "Disable updating ColdFusion internal cookies using ColdFusion tags/functions". By checking this, your server will not allow manipulating CF related cookies from CFCookie or CFHeader tag. This gives you more control of where these cookies might be getting manipulated.
2.
Application specific settings using Application.cfc
3.
Application specific settings using Application.cfm
For existing applications which are still using Application.cfm. A struct can be created with all these properties and then passed to attribute "sessioncookie" and "authcookie" respectively.
This is what I have for today, happy securing the applications and server.
Note: all these configurations we discussed are valid for CF session cookies and Authentication cookies. For JSESSIONID, one needs to make changes in server related configurations.
Shilpi Khariwal
Security Czar, ColdFusion Engineering Team