In the stateless HTTP web world, Session play an important role for maintaining state. Critical user data is often saved in session. There is an id associated with this session, which distinguishes requests from one user to other. This session token, often called as JSESSIONID in J2EE world is stored at client side in cookie.
Session ids are mostly stored in cookie and we have already learnt cookies are prone to attacks. Session Hijacking, Session Fixation are some of these.
These attacks can be avoided by using proper server side measures and client side cookie handling. For e.g. When a user logs out, the session data should be cleared.
or when user logs in, his current session data should be copied to a session with new ID.
This can avoid attacks like Session stealing, Session Fixation.
In ColdFusion 10, you have ready to use methods to do this. There are two new methods added,
1. SessionInvalidate()
SessionInvalidate, will clear the data stored in session.
However as for J2EE applications one JSESSIONID might be getting used for many applications, we don't explicitly invalidate the underlying httpSession.
2. SessionRotate()
In SessionRotate, Will generate a new session id while maintaining the current session. It will
- The current session's data is copied,
- Current session is invalidated,
- A new session is generated,
- the data from this invalidated session id copied to a newly generated session with a new session id.
I am sure this will be very useful for all kinds of applications, small or big.
Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile
Some good additions to session management. Is there any way to invalidate all active sessions for a given application (i.e., kick everybody out of an application for maintenance)? There are certainly other ways to get there (like checking an application variable on every request to see if system is closed) and invalidate each session individually as shown in your post, but we may just want to kick everyone out so they have to log in again (and hit the onSessionStart method again).
ReplyDeleteJeff, Interesting thought. No direct method is available to do so. A very risky function I would say, as misuse of this will be costly. However if this is a use case that many people come across, i would request you to please raise an ER at https://bugbase.adobe.com/ for ColdFusion.
DeleteThanks,
Shilpi
@Jeff: you can do this simply by changing the name of your application in Application.cfc
ReplyDeleteI normally include a version number in my application names, e.g.:
this.name = blog-20120314;
Updating that will not just invalidate the application scope immediately (since it is tied to that name on every request), but all current sessions as well (since they are dependent on it as well).
Shilpi, please do correct me if I'm wrong, but that's the way I've been doing it for quite a few years!
Hi Julian,
ReplyDeleteThat is just going to start a new session. The previous one will be in the server till the idle time is elapsed. By using SessionInvalidate() the session is cleared and removed immediately.
Shilpi
Hi Shilpi,
ReplyDeleteYes I understand the application and sessions attached to it will still exist in memory until they time out, but they won't be accessible any more because the app name has changed. Hence all user sessions will no longer work.
SessionInvalidate() is different I know, but Geoff was asking for a way to "kick everyone out" and changing the app name does exactly that.
Cheers
Julian
Yeah, Makes sense. Thanks for sharing that Julian. Hope now this method will be quite handy.
ReplyDeleteHi Shilpi,
ReplyDeleteWe have just implemented the sessionRotate function on a server using J2EE sessions but found that it seems to leave the jsessionid client cookie unchanged after the function call (despite leaving a session rotated log entry), allowing a successful session fixation attack. The documentation is not clear: Can you explain what should happen to the jsessionid on the client and server side? Is there anything else we need to do to make this work? Thanks.
Hi,
ReplyDeleteThe j2ee session id might not have changed if the web server is configured to reuse session ids for a session created. Can you please check this for the web server in use.
Thanks for the reply Shilpi. Does this mean that sessionRotate() does not work on a vanilla install of CF10/Tomcat?
ReplyDeleteCan you please outline the steps required to reconfigure the web server?
Thanks.
Hi Shilpi. We're on ColdFusion 10,0,9,284568 (Tomcat 7.0.23.0) with J2EE sessions enabled and we're trying to resolve a session fixation vulnerability that has been identified with the value of JSESSIONID remaining unchanged after calling SessionRotate() (same issue the poster above describes).
ReplyDeleteWould you be able to explain how we can reconfigure Tomcat to NOT reuse the underlying jsessionid when rotating sessions?
Thanks!
Both sessionrotate, SessionInvalidate don't invalidate underlying j2ee session. As this might impact other applications which share the same j2ee session. In order to rotate underlying j2ee session as well,
ReplyDeleteYou can invoke invalidate method directly on j2EE session object. And Then by invoking sessionRotate, other session data will also be copied to new session object.
hope this helps.