Monday, March 12, 2012

Improved Session Management in ColdFusion 10


In the stateless HTTP web world, Session play an important role for maintaining state. Critical user data is often saved in session. There is an id associated with this session, which distinguishes requests from one user to other. This session token, often called as JSESSIONID in J2EE world is stored at client side in cookie.

Session ids are mostly stored in cookie and we have already learnt cookies are prone to attacks. Session Hijacking, Session Fixation are some of these.

These attacks can be avoided by using proper server side measures and client side cookie handling. For  e.g. When a user logs out, the session data should be cleared.
or when user logs in, his current session data should be copied to a session with new ID.
This can avoid attacks like Session stealing, Session Fixation.

In ColdFusion 10, you have ready to use methods to do this. There are two new methods added,

1. SessionInvalidate()

SessionInvalidate, will clear the data stored in session.
However as for J2EE applications one JSESSIONID might be getting used for many applications, we don't explicitly invalidate the underlying httpSession.


2. SessionRotate()

In SessionRotate, Will generate a new session id while maintaining the current session. It will
  1. The current session's data is copied,
  2. Current session is invalidated, 
  3. A new session is generated,
  4. the data from this invalidated session id copied to a newly generated session with a new session id.


I am sure this will be very useful for all kinds of applications, small or big.


Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile

18 comments:

  1. Some good additions to session management. Is there any way to invalidate all active sessions for a given application (i.e., kick everybody out of an application for maintenance)? There are certainly other ways to get there (like checking an application variable on every request to see if system is closed) and invalidate each session individually as shown in your post, but we may just want to kick everyone out so they have to log in again (and hit the onSessionStart method again).

    ReplyDelete
    Replies
    1. Jeff, Interesting thought. No direct method is available to do so. A very risky function I would say, as misuse of this will be costly. However if this is a use case that many people come across, i would request you to please raise an ER at https://bugbase.adobe.com/ for ColdFusion.

      Thanks,
      Shilpi

      Delete
  2. @Jeff: you can do this simply by changing the name of your application in Application.cfc

    I normally include a version number in my application names, e.g.:

    this.name = blog-20120314;

    Updating that will not just invalidate the application scope immediately (since it is tied to that name on every request), but all current sessions as well (since they are dependent on it as well).

    Shilpi, please do correct me if I'm wrong, but that's the way I've been doing it for quite a few years!

    ReplyDelete
  3. Hi Julian,

    That is just going to start a new session. The previous one will be in the server till the idle time is elapsed. By using SessionInvalidate() the session is cleared and removed immediately.

    Shilpi

    ReplyDelete
  4. Hi Shilpi,

    Yes I understand the application and sessions attached to it will still exist in memory until they time out, but they won't be accessible any more because the app name has changed. Hence all user sessions will no longer work.

    SessionInvalidate() is different I know, but Geoff was asking for a way to "kick everyone out" and changing the app name does exactly that.

    Cheers
    Julian

    ReplyDelete
  5. Yeah, Makes sense. Thanks for sharing that Julian. Hope now this method will be quite handy.

    ReplyDelete
  6. Hi Shilpi,

    We have just implemented the sessionRotate function on a server using J2EE sessions but found that it seems to leave the jsessionid client cookie unchanged after the function call (despite leaving a session rotated log entry), allowing a successful session fixation attack. The documentation is not clear: Can you explain what should happen to the jsessionid on the client and server side? Is there anything else we need to do to make this work? Thanks.

    ReplyDelete
  7. Hi,

    The j2ee session id might not have changed if the web server is configured to reuse session ids for a session created. Can you please check this for the web server in use.

    ReplyDelete
  8. Thanks for the reply Shilpi. Does this mean that sessionRotate() does not work on a vanilla install of CF10/Tomcat?

    Can you please outline the steps required to reconfigure the web server?

    Thanks.

    ReplyDelete
  9. Hi Shilpi. We're on ColdFusion 10,0,9,284568 (Tomcat 7.0.23.0) with J2EE sessions enabled and we're trying to resolve a session fixation vulnerability that has been identified with the value of JSESSIONID remaining unchanged after calling SessionRotate() (same issue the poster above describes).

    Would you be able to explain how we can reconfigure Tomcat to NOT reuse the underlying jsessionid when rotating sessions?

    Thanks!

    ReplyDelete
  10. Both sessionrotate, SessionInvalidate don't invalidate underlying j2ee session. As this might impact other applications which share the same j2ee session. In order to rotate underlying j2ee session as well,
    You can invoke invalidate method directly on j2EE session object. And Then by invoking sessionRotate, other session data will also be copied to new session object.

    hope this helps.

    ReplyDelete
    Replies
    1. Shilpi,

      Can you post or refer to sample code showing how to invalidate directly on j2EE session object and then invoke sessionRotate?

      There are cases where there are no other applicaitons sharing the same j2ee session. For a future version of CF please consider an option for the SessionRotate and SessionInvalidate methods that will act on the uderlying j2ee session?

      Thanks
      Tom

      Delete
    2. Hi Tom,

      Please log an ER for SessionRotate and SessionInvalidate to work on j2ee session as well.

      As far as doing it is concerned. You can use GetPageContext method and then use GetSession and work on http session. Use caution while playing with session object directly though.

      Delete
  11. Hello,

    To resolve the jsessionID session fixation issue, it is relatively straightforward to compile this code created by Daniel Wasser and Thomas Schmidt: http://www.gslab.com/blogs/item/76-session_fixation. This code is then plugged into Tomcat as a valve and will solve the issue.

    It would have been good to see this functionality built into CF 10.

    ReplyDelete
    Replies
    1. Hi,

      Can you please log a bug in bugbase for the same and add details?

      Shilpi

      Delete
  12. Ran into this today but it looks like if rotate the session after login using IE 10 on Windows 7 it always treats it as a brand new session. Example in a normal scenario.

    Login -> Success -> RotateSession -> User Dashboard

    Works perfect but on IE10 only in Windows 7 not 8

    Login -> Success -> RotateSession -> Back to login screen even without my notification messages (as I attach to session)

    I dump my session and can see the values change on all browsers but IE10 in Win 7 is the only one doing this. I thought maybe its my dev tools but I can't seem to find any type of setting which might cause this.

    ReplyDelete
  13. Hi Giancarlo,

    There is some issue with IE in windows 8. We have logged a bug for the same. One workaround to fix it is to reduce security settings in IE. Can you confirm if this error doesn't occur on other browsers?

    Shilpi

    ReplyDelete
  14. Hi Shilpi, sessionRotate() seems to work for CFID/CFtoken. However, when using jsessionID it does not change. Is sessionRotate only for CFID/CFtoken or should we be able to rotate the jsessionID also?

    ReplyDelete

You can subscribe to the comments by licking on "Subscribe by email".