In the stateless HTTP web world, Session play an important role for maintaining state. Critical user data is often saved in session. There is an id associated with this session, which distinguishes requests from one user to other. This session token, often called as JSESSIONID in J2EE world is stored at client side in cookie.
Session ids are mostly stored in cookie and we have already learnt cookies are prone to attacks. Session Hijacking, Session Fixation are some of these.
These attacks can be avoided by using proper server side measures and client side cookie handling. For e.g. When a user logs out, the session data should be cleared.
or when user logs in, his current session data should be copied to a session with new ID.
This can avoid attacks like Session stealing, Session Fixation.
In ColdFusion 10, you have ready to use methods to do this. There are two new methods added,
SessionInvalidate, will clear the data stored in session.
However as for J2EE applications one JSESSIONID might be getting used for many applications, we don't explicitly invalidate the underlying httpSession.
In SessionRotate, Will generate a new session id while maintaining the current session. It will
- The current session's data is copied,
- Current session is invalidated,
- A new session is generated,
- the data from this invalidated session id copied to a newly generated session with a new session id.
I am sure this will be very useful for all kinds of applications, small or big.
How to Secure ColdFusion Session Cookies with CF 10
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile