Tuesday, February 21, 2012

How to Secure ColdFusion Session Cookies with CF 10


Before talking about the improvements that are done in ColdFusion 10, Let's see in brief what is session managements, why these cookies exists.

In simple words Session management is a way to use web applications in a more structured manner, where not every time you need to tell who you are. When the first request is received by a server, there is a token generated, which is then shared between client and server on each request there after.

Now this token, can be anything. But to make it secure it should be randomized enough so that it is not easily guessable. So now that we have this token, the question is how to share this token safely between client and server.

To store this token there can be multiple ways to do it, one can append this token(s) in the URL, or store it in the client side as cookies. These tokens are not very safe on URL and any one can read them and then use. Remember it is your identity to the server. As far as cookies are concerned, they can be made secure enough. How to do this is what we will discuss today.

For ColdFusion sessions, there are two tokens CFID and CFTOKEN. CFTOKEN is randominzed in ColdFusion 10 by default. Remember the option "Use UUID for cftoken" on CF Administrator -> Settings. This is by default checked now.

 Cookies are by default not so secure. They are vulnerable for various reasons. Like, cookies are stored in plain text, they can be modified by user, they can sit on your server for long time, they can be accessed by java script etc. So if cookies are also insecure, what should we do. fortunately there are configurations that can make cookies secure. We will now discuss what those configurations are and how to enable/set them in CF10.


If you are already aware of these, click here to see the solution right a way.

For any Cookie apart from its name, value, there are few which can be used to secure session easily. These are -


  1. Expires: Time after which the cookies should be deleted from browser or its persistent store. A "0" value indicates, expire now, a negative value like "-1" suggests to keep it forever.
  2. Domain: Domain is related to the URL for which or its sub domain the given cookie should be accessible. Example: for URL www.shilpikm.coldfusion.adobe.com, the domain can be set as *.coldfusion.adobe.com or *.adobe.com. One should always set least privileged domain depending on application.
  3. Path: Cookies can also be distinguished on pages within domain. Example: www.shilpikm.coldfusion.adobe.com/ and www.shilpikm.coldfusion.adobe.com/test/index.cfm. Now if we want 2 separate cookies for these two urls, path attribute can be set to "/" and "/test" respectively.
  4. HttpOnly: As I mentioned cookies can be accessed by Java script. This can be misused very dangerously. However for cookies context, if the flag HttpOnly is set on a cookie, that cookie will not be accessible to any js. Hence protected against Cross Site Scripting (XSS) attack. I will discuss XSS in details in the upcoming posts.
  5. Secure: For web applications running on Https, secure flag should be set on cookies. Secure flag enables the cookies should be sent only for encrypted requests. Hence prevents against cookie stealing.


How to configure these in ColdFusion 10: Now let's set some of these for CF session cookies settings and see how quick it is in ColdFusion 10. There are 3 ways to do it -

1. Server Level settings using Administrator: On Administrator Console -> Memory Variables page, there is a new section "Session Cookie Settings".

This is the same page where other session related settings can be done. Here You can specify cookie timeout (expires), httpOnly, and secure flag for all the applications on this server.

You must have noticed another setting "Disable updating ColdFusion internal cookies using ColdFusion tags/functions". By checking this, your server will not allow manipulating CF related cookies from CFCookie or CFHeader tag. This gives you more control of where these cookies might be getting manipulated.

2. Application specific settings using Application.cfc

3. Application specific settings using Application.cfm

For existing applications which are still using Application.cfm. A struct can be created with all these properties and then passed to attribute "sessioncookie" and "authcookie" respectively.

This is what I have for today, happy securing the applications and server.

Note: all these configurations we discussed are valid for CF session cookies and Authentication cookies. For JSESSIONID, one needs to make changes in server related configurations.

Shilpi Khariwal
Security Czar, ColdFusion Engineering Team


Related Entries:
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile

7 comments:

  1. Hi Shilpi,

    I just wanted to let you know that the unannounced change in ColdFusion 10 that restricts users to a single login session has caused huge problems for our business. We've been using ColdFusion since 4.5 and muliple login sessions have always been allowed. Our business model allows muliple people to share a single login. When we upgraded to ColdFusion 10 our users were suddenly getting logged out of their sessions and it took us a while to figure out why. This is a huge feature change and should have been something that can be configured for backwards compatibility. I don't know whose idea it was at Adobe to make this change without any input from your user community but in my opinion it was a terrible idea.

    Thanks,
    Rafael

    ReplyDelete
  2. Hi Rafael,

    This was not an unannounced change. It was covered in "What's new in ColdFusion 10" and on blogs etc. However I can understand if your application is impacted with this change. You can add your vote to the following bug 3339008.

    Thanks,
    Shilpi

    ReplyDelete
  3. Hi,

    We are using CF10. CFID and CFToken cookies are not being cleared when browser is closed. I have setClientCookies to false and I am manually setting session.CFID and session.CFTOKEN using cfcookie tag in Application.cfm

    Can you please let me know where I can find more documentation on this for CF10.
    Thanks.

    ReplyDelete
  4. Hi Shilpi,

    Thanks for the very informative blog post I stumbled across this while attempting to troubleshoot a CF10 session dropping issue when switching between sub domains. We've never experienced this issue in 6 years of the application and since upgrading to CF10 the sessions keep dropping. Our application uses 3 domains such as this:

    approve.domain.com
    book.domain.com
    profiles.domain.com

    For various reasons we switch between these domains depending on functionality and it is all the same Application so I'm unsure when suddenly the session tokens are resetting when jumping between these domains. If you had any suggestions that would be great.

    I have tried forcing a

    But to no avail...

    Cheers
    Phil

    ReplyDelete
  5. Hi Shilpi

    Could you advise what server configuration changes are required when using J2EE Sessions and allowing the session to cross between subdomains securely?

    Cheers
    Phil

    ReplyDelete
  6. Hi Shilpi,

    I am working on ColdFusion 10. And in one of my existing applications there is an Application.cfm , still using.

    As you suggested I tried to set HTTPOnly and SECURE flag for the session cookies (CFID and CFTOKEN) . But this is not working. I used the below code in Application.cfm file.





    I checked this using chrome developer tools where the columns HTTP and SECURE against the cookies CFID and CFTOKEN are showing empty.I tried after restarting the CF instance but still it is not working.

    Could you please help me find why this is not working.

    Thanks,
    Abdul

    ReplyDelete
  7. Though this is an old post, I'd like to respond to Rafael's comment, and Shilpi's follow-up, both from 2013. In CF11 a feature WAS indeed added to the CF Admin to allow for multiple concurrent logins.

    To be clear, though Rafael did not point it out, it would seem he was referring to use of CFLOGIN. The change to allow only a single login in the admin was also tied to changing the behavior of CFLOGIN. Many developers never use it (and if you don't, then you are not going to hit his problem where they ""allow multiple people to share a single login".)

    Rafael, if you may get notified about this, it would be interesting to hear if you found the change in CF11 and whether it helped. If it did not, then perhaps I am guessing incorrectly about your problem. But without more info, it was all I could do, and I hoped that this new info would help you or future readers of this post.

    ReplyDelete

You can subscribe to the comments by licking on "Subscribe by email".