Tuesday, February 28, 2012

New & Improved CFLogin

With ColdFusion 10 CFlogin is improved and more secure. The Authorization associated with cflogin for loginstorage"cookie" is much secure.

The Authorization cookie, 
·         Is set to have a short time to live.
·         Now it expires by default on browser close and this can be configured using cookie settings discussed before.
·         It is by-default set to be on HttpOnly for CF admin console. For other applications, there is provision to configure
—There are however some behavioral changes –

·         Now only one active session can be open for one user for given application that uses <cflogin>
o   Example: Administrator console now can be accessed by one user at a time with a given set of UserID and password.
o    Note: for “cacheManagerPeerListenerFactory” port should be unique for each node in cluster.

Sample auth-ehcache.xml with distributed caching enabled usingRMI replication -

·         On clustered environment, if sticky session is not enabled, cflogin will does persist. On each request there is a need for login again. To fix this –
o   Distributed caching should be enabled for authcache in <cf-home>/lib/auth-ehcache.xml
·         Cache replication should be enabled for the nodes of cluster.
·         To enable long lived logins or remember me type of functionality-
o   Increase authcookie.timeout to a big enough number in Application.cfc/cfm
o   Make the cache persistent by updating configuration in auth-ehcache.xml

Note: Elements in this cache have an idle timeout same as session timeout specified at Application level or at server level.

For information on ehcache configurations can be found here 

Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile

Tuesday, February 21, 2012

How to Secure ColdFusion Session Cookies with CF 10

Before talking about the improvements that are done in ColdFusion 10, Let's see in brief what is session managements, why these cookies exists.

In simple words Session management is a way to use web applications in a more structured manner, where not every time you need to tell who you are. When the first request is received by a server, there is a token generated, which is then shared between client and server on each request there after.

Now this token, can be anything. But to make it secure it should be randomized enough so that it is not easily guessable. So now that we have this token, the question is how to share this token safely between client and server.

To store this token there can be multiple ways to do it, one can append this token(s) in the URL, or store it in the client side as cookies. These tokens are not very safe on URL and any one can read them and then use. Remember it is your identity to the server. As far as cookies are concerned, they can be made secure enough. How to do this is what we will discuss today.

For ColdFusion sessions, there are two tokens CFID and CFTOKEN. CFTOKEN is randominzed in ColdFusion 10 by default. Remember the option "Use UUID for cftoken" on CF Administrator -> Settings. This is by default checked now.

 Cookies are by default not so secure. They are vulnerable for various reasons. Like, cookies are stored in plain text, they can be modified by user, they can sit on your server for long time, they can be accessed by java script etc. So if cookies are also insecure, what should we do. fortunately there are configurations that can make cookies secure. We will now discuss what those configurations are and how to enable/set them in CF10.

If you are already aware of these, click here to see the solution right a way.

For any Cookie apart from its name, value, there are few which can be used to secure session easily. These are -

  1. Expires: Time after which the cookies should be deleted from browser or its persistent store. A "0" value indicates, expire now, a negative value like "-1" suggests to keep it forever.
  2. Domain: Domain is related to the URL for which or its sub domain the given cookie should be accessible. Example: for URL www.shilpikm.coldfusion.adobe.com, the domain can be set as *.coldfusion.adobe.com or *.adobe.com. One should always set least privileged domain depending on application.
  3. Path: Cookies can also be distinguished on pages within domain. Example: www.shilpikm.coldfusion.adobe.com/ and www.shilpikm.coldfusion.adobe.com/test/index.cfm. Now if we want 2 separate cookies for these two urls, path attribute can be set to "/" and "/test" respectively.
  4. HttpOnly: As I mentioned cookies can be accessed by Java script. This can be misused very dangerously. However for cookies context, if the flag HttpOnly is set on a cookie, that cookie will not be accessible to any js. Hence protected against Cross Site Scripting (XSS) attack. I will discuss XSS in details in the upcoming posts.
  5. Secure: For web applications running on Https, secure flag should be set on cookies. Secure flag enables the cookies should be sent only for encrypted requests. Hence prevents against cookie stealing.

How to configure these in ColdFusion 10: Now let's set some of these for CF session cookies settings and see how quick it is in ColdFusion 10. There are 3 ways to do it -

1. Server Level settings using Administrator: On Administrator Console -> Memory Variables page, there is a new section "Session Cookie Settings".

This is the same page where other session related settings can be done. Here You can specify cookie timeout (expires), httpOnly, and secure flag for all the applications on this server.

You must have noticed another setting "Disable updating ColdFusion internal cookies using ColdFusion tags/functions". By checking this, your server will not allow manipulating CF related cookies from CFCookie or CFHeader tag. This gives you more control of where these cookies might be getting manipulated.

2. Application specific settings using Application.cfc

3. Application specific settings using Application.cfm

For existing applications which are still using Application.cfm. A struct can be created with all these properties and then passed to attribute "sessioncookie" and "authcookie" respectively.

This is what I have for today, happy securing the applications and server.

Note: all these configurations we discussed are valid for CF session cookies and Authentication cookies. For JSESSIONID, one needs to make changes in server related configurations.

Shilpi Khariwal
Security Czar, ColdFusion Engineering Team

Related Entries:
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile

Security & Secure and easy application development with ColdFusion

As I start my post today, I see how I have evolved. I started as a developer who was mostly unaware of what it needs to make something secure or what mistakes I was doing. Now as I gained some knowledge in security field working as security czar, I can see how my perspective has changed. Now I think Securing first.

Security is considered to be hard. It is mostly left to domain specialists and researchers to comment on security. However it is we developers who should know it right from beginning. If explained nicely, these are very simple concepts and flaws which are misused and creates problem.

With ColdFusion 10 a developer can have much stronger and sweeter relationship with security. There are a lot of features in ColdFusion 10 which will help developers and administrators create secure applications. These are very simple to use APIs and configurations. I will start this series today to discuss those from my perspective.

You can download ColdFusion 10 public beta from here.

Today I am going to cover How to Secure CF Session Cookies. You can read further on this here How to Secure CF Session Cookies

Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New & Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10

Saturday, February 18, 2012

ColdFusion 10 and ColdFusion Builder 2.0.1 public beta announced

I am right here at NullCon Goa, where I received the good news. I am really excited to share the release of ColdFusion 10 aka Zeus and ColdFusion Builder 2.0.1. It is loaded with features and one of my favorite release of product. All that have been talked and not talked about is available for you now. Go ahead and explore it. You can find the bis at Adobe Labs. ColdFusion 10 & ColdFusion Builder 2.0.1

Stay tuned for discussing my take on some of the features and definitely the Security features.


Thursday, February 9, 2012

Basic Authentication with WebLogic 9.2 and above

I have had very few encounters with WebLogic. Today was one of such days. I created a simple application that uses Basic authentication. The application was deployed on WebLogic. So here I am sharing it.

To all my surprises the application didn't work as expected. It was giving 401 error repeatedly. After some further debugging I found that the request was not even calling application code for authentication. Now this was really annoying and strange. On debugging I found nothing wrong in the application, I decided to search for it in case someone else faced a similar issue.

Interestingly, it turned out to be an issue with WebLogic. There is a behavior change WebLogic 9.2 onward and any request to application with "Authorization" header the is intercepted by WebLogic itself and is not passed to the application. WebLogic tries to make authentication itself.

To Solve this issue one can add the following configuration in config.xml

Happy Debugging,