Thursday, September 20, 2012

Prevent accidental manipulation of ColdFusion session cookies

In ColdFusion 9.0.2 and earlier, people needed to modify ColdFusion session cookies for adding additional cookie attributes. With ColdFusion 10, this is no longer required. (For details see here). 

So now while migrating to ColdFusion 10, this code needs to be updated. Let's see the scenario when this code is left out. The behavior is unknown. To avoid this, ColdFusion 10 comes with another setting - 

Settings -> Memory Variables -> Session Cookie Settings -> Disable updating ColdFusion internal cookies using ColdFusion tags/functions

It can also be set using Application.cfm/cfc. See this entry for details.

When enabled this will prevent CFCookie and CFHeader tags to update ColdFusion session and authorization cookies.

There is one more enhancement done for cfcookie/cfheader - In previous versions, cookie value was always encoded. However this might cause issues with a cookie value expected with some extra characters. Now you can use new attribute "preservecase" and "encodevalue" for CFCookie tag and "encoded" attribute for CFHeader tag when type=cookie.


  1. Hello Sameeksha and thank you for posting on this topic.

    The "Use UUID for cftoken" checkbox is very helpful. Thank you for pointing that out. Is there any way to do this with the value of CFID? Over the last week I have been in the process of migrating to CF10 and this one last issue still remains for PCI compliancy.

    Security Metrics Scan complains...
    Data Received: Sending several requests gives us the following session IDs : CFID=37810 CFID=37813 CFID=37814 CFID=37815 CFID=37816 Resolution: Configure the remote site and CGIs so as to use random session IDs.

    On my CF 9 server I would encrypt the CFID and onSessionStart with this…

    …and then on init() in the Application.cfc I would decrypt it using...

    But now on CF 10 server I get the following error… (On restart CF10 service)
    The system has attempted to use an undefined value, which usually indicates a programming error, either in your code or some system code.
    Null Pointers are another name for undefined values.

    Is it not possible to randomize the value of CFID anymore?


  2. Hi Jack,

    Can you share the code written in onSessionStart?

    For adding value of CFID at your own, you need to disable/uncheck the flag mentioned in this entry. And then use make changes as per

    Hope it helps.


  3. Thank you again,
    With the checkbox for sure unchecked this code still errors...

  4. Yes, it would. The checkbox is one step for allowing these changes. I would still have to look into the code written in onsessionstart.

  5. I'm sorry, my code didn't show last post. Here is is again...

    cfset = "web_app"
    cfset this.sessionmanagement = true
    cfset this.setclientcookies = false !--- tried this both ways ---
    cfset this.applicationtimeout = createTimeSpan(1,0,0,0)
    cfset this.sessiontimeout = createTimeSpan(0,0,30,0)
    cfset this.scriptProtect = "all"
    cfset this.clientmanagement = "True"
    cfset this.clientstorage = "CDATA"

    cfif StructKeyExists( COOKIE, "ID" )
    cfif isdefined('server.encrypt_key')
    cfset THIS.DecryptedID = Decrypt(COOKIE.ID,server.encrypt_key,"CFMX_COMPAT","HEX") /
    cfcookie name="CFID" value="#ListFirst( THIS.DecryptedID )#" expires="NOW" httponly="true" /!--- error occurs here ---
    cfcookie name="CFTOKEN" value="#ListRest( THIS.DecryptedID )#" expires="NOW" httponly="true" /!--- and here if I delete previous line ---
    cfcookie name="testOther" value="#ListRest( THIS.DecryptedID )#" expires="NOW" httponly="true" /!--- this will work if prev 2 lines deleted ---

    var LOCAL = StructNew()
    cfset LOCAL.EncryptedID = Encrypt("#SESSION.CFID#,#SESSION.CFTOKEN#",server.encrypt_key,"CFMX_COMPAT","HEX") /
    cfcookie name="ID" value="#LOCAL.EncryptedID#" expires="NEVER" httponly="true" /
    session.start = now()

  6. I'm sorry but I have tried to submit it twice and I am afraid it is not posting. In an effort to find a place to post the code I created a Blog and posted the code there for your review...

    Again, I am sorry fro not being able to post it here.


  7. Hi Jack,

    I have received the code. I will get back on this to you.


  8. Hi Jack,

    The can you share stack trace as well. It is better if you use contactform to send me the stack trace.



You can subscribe to the comments by licking on "Subscribe by email".