tag:blogger.com,1999:blog-6511332025931518473.post4990805083010007096..comments2023-01-23T20:02:45.853+05:30Comments on Sameeksha: Update on Security Hot-Fix Feb 2011Shilpi Mitrahttp://www.blogger.com/profile/13683221740304662904noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-6511332025931518473.post-2185409690259452252013-07-23T20:20:44.213+05:302013-07-23T20:20:44.213+05:30Hi Thomas,
I would need some more information to ...Hi Thomas,<br /><br />I would need some more information to help you on this issue. Is it possible for you to check if certain pieces of code which were discussed above? Also which version of CF you are using?<br /><br />ShilpiShilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-25925955486653263692013-07-05T10:42:28.766+05:302013-07-05T10:42:28.766+05:30Hi Shilpi
We are experiencing a serious issue wit...Hi Shilpi<br /><br />We are experiencing a serious issue with losing session cookies on our site www.insead.edu and we have multiple applications running under this URL.<br /><br />The main URL has an application.cfm<br /><br />Subsequent applications have their own application.cfm<br /><br />I have been reading your and Julian blog and is looking for a final conclusion on the fix we needed to make. <br /><br /><br />Saint Jude Prayerhttps://www.blogger.com/profile/03869225159723503581noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-79157538701451270222012-01-09T16:20:42.615+05:302012-01-09T16:20:42.615+05:30Daemon, I think i missed out on this comment. Are ...Daemon, I think i missed out on this comment. Are you still facing an issue? My apologies for missing this one.Shilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-12778266544975825312011-08-11T09:32:05.163+05:302011-08-11T09:32:05.163+05:30Shilpi,
Any update on the issue with this update ...Shilpi,<br /><br />Any update on the issue with this update breaking CF administrator on an 8.0.1 install?<br /><br />I get "ESAPIUTILS is undefined in a Java object" on line 30 of the login.cfm template.wtfdaemonhttps://www.blogger.com/profile/17894309966137581231noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-47751535067811601462011-03-14T16:11:37.066+05:302011-03-14T16:11:37.066+05:30Hey Julian,
Thanks a lot for confirming and feedb...Hey Julian,<br /><br />Thanks a lot for confirming and feedback.<br /><br />Cheers,<br />ShilpiShilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-45922540087408260642011-03-14T15:58:31.997+05:302011-03-14T15:58:31.997+05:30Hi Shilpi
It's been nearly 3 days since we tu...Hi Shilpi<br /><br />It's been nearly 3 days since we turned on the Session Fixation protection and we've not had a single report, so I think it's safe to confirm the problem as resolved.<br /><br />Thanks for considering making things easier if possible, but I think you perhaps just need to communicate the impact of the change more clearly. It's still possible to set session-only cookies, but the code for doing so needs to take account of this change in the way CF creates sessions.<br /><br />Best wishes<br />JulianJulianhttps://www.blogger.com/profile/15072414528714052266noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-69322908497424302522011-03-12T00:32:50.307+05:302011-03-12T00:32:50.307+05:30Hi Julian,
Thanks a lot. Your blog entry was quit...Hi Julian,<br /><br />Thanks a lot. Your blog entry was quite descriptive. We will wait for your confirmation and then update the bug logged. <br /><br />Also we will take this input and see how we can make this better for customers to have session-only session cookies. <br /><br />Cheers,<br />ShilpiShilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-43655905186961112222011-03-11T20:09:28.994+05:302011-03-11T20:09:28.994+05:30Shilpi, we've only switched on the protection ...Shilpi, we've only switched on the protection again in the last hour having had to go through all our code base first, and being Friday there aren't so many people at work to verify. But I'm pretty confident this is the solution. Testing locally has certainly confirmed it.<br /><br />It explains the intermittence: if you opened your browser and logged in you wouldn't have had any problem because the cookie would be new. But if you've had your browser open for a while and are logging in for the second time, then the old cookie would have been used with the wrong session ID.<br /><br />I'll confirm definitively once we're sure.<br /><br />I think it would be good if Adobe could document this in some way as it's sure to catch quite a few of your customers out. Setting session-only cookies is a known good practice and to do this in CF you have to turn off the default cookie management and set your own (unless you use JSessions of course, but we and I'm sure many others don't).<br /><br />Cheers<br />Julian.Julianhttps://www.blogger.com/profile/15072414528714052266noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-60499470148080612972011-03-11T18:15:19.581+05:302011-03-11T18:15:19.581+05:30Hi Julian,
Thanks a lot for confirming. So means ...Hi Julian,<br /><br />Thanks a lot for confirming. So means the issue is fixed now?<br /><br />Yes, with the patch, CF has a different approach to handle session tokens and to generate new ones as well. Hence people not using default client cookie management or setting cookies at their own, might have to revisit the code for the same.<br /><br />Thanks,<br />Shilpi<br />ColdFusion TeamShilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-52594319047727919032011-03-11T14:08:30.707+05:302011-03-11T14:08:30.707+05:30Shilpi, I posted a comment here yesterday, but it ...Shilpi, I posted a comment here yesterday, but it didn't appear. Tried again but it still hasn't. Hoping this one will.<br /><br />I think I understand the issue now. Basically the session fixation patch changes the way CF generates session IDs which will impact on anyone using a widely used technique for creating session-only cookies.<br /><br />I've written a blog post with details:<br /><br />cfsimplicity.com/4/coldfusion-security-hotfix-seems-to-change-session-behaviourJulianhttps://www.blogger.com/profile/15072414528714052266noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-3697649438917212482011-03-11T13:30:31.883+05:302011-03-11T13:30:31.883+05:30Hi Gary,
Prior to Feb Hot-fix, there were no such...Hi Gary,<br /><br />Prior to Feb Hot-fix, there were no such issues. Can you please share if there is any pattern you know of?<br /><br />ShilpiShilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-51609913740445227212011-03-11T04:42:52.652+05:302011-03-11T04:42:52.652+05:30Prior to the February hotfix, are there any other ...Prior to the February hotfix, are there any other bugs that would cause sessions to be dropped? We have experienced this for a while and it's very random. Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-50032502177569152422011-03-10T17:35:21.474+05:302011-03-10T17:35:21.474+05:30Shilpi, I think I've identified the problem fr...Shilpi, I think I've identified the problem from what you say.<br /><br />Prior to the HotFix, when starting a new session ColdFusion would only create new CFID/CFTOKEN values if none already existed in the browser's cookies. If it found cookies from an expired session, then it would use them for the new session.<br /><br />This meant that it was not necessary to write new cookies if they already existed, hence the conditional widely used when manually setting session cookies.<br /><br />With this HotFix, it seems that ColdFusion will create new CFID/CFTOKEN values to link up a new session REGARDLESS of whether any cookies already exist.<br /><br />So with the HotFix applied, if CFID/CFTOKEN cookies exist in the browser, the conditional will, as you say, prevent the new session keys being written, and the session will be lost on the next request.<br /><br />This seems to be a critical change of behaviour that is clearly breaking apps. Is it absolutely necessary to fix the Fixation vulnerability?<br /><br />I've written a tiny app which demonstrates the changed behaviour: I'll try and write it up as a blog post later on.Julianhttps://www.blogger.com/profile/15072414528714052266noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-7658977886905268622011-03-10T13:14:52.879+05:302011-03-10T13:14:52.879+05:30Julian,
I request you as well to check/test if th...Julian,<br /><br />I request you as well to check/test if the Cookie writing code has a similar blocking condition.<br /><br />ShilpiShilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-13329631114138560432011-03-10T13:14:13.014+05:302011-03-10T13:14:13.014+05:30Hi Jay,
This is because of the following -
1. Yo...Hi Jay,<br /><br />This is because of the following -<br /><br />1. You have set setClientCookies=false<br />2. In the code to set Cookies, you have following condition - <br /><br /><br /><br />Now if users don't delete the old cookies and with the above condition, old Cookie value will always be found and if ColdFusion does not find an active session for this request, it will start a new one. However these new values are never set to Cookies.<br /><br />You can probably change the check before settings the cookies to match the value from Cookie and Session. If the values don't match, then you reset the cookie as well.<br /><br />Hope this helps.<br /><br />Shilpi<br />ColdFusion TeamShilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-69510938969792353692011-03-10T11:12:14.962+05:302011-03-10T11:12:14.962+05:30Hi Julian,
Thanks a lot for raising the issue.
S...Hi Julian,<br /><br />Thanks a lot for raising the issue. <br />So here is what I would request. If you have re-applied the latest update released on 7th March for Security Hot-fix, if you can try removing the domain/path fix which I suggested, as that was just a temporary solution till we could release the update on Security Hot-fix.<br /><br />If still the problem persists, please confirm.Shilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-11062723719358777982011-03-10T00:09:09.783+05:302011-03-10T00:09:09.783+05:30Hi Shilpi,
I'm not sure what log details I ca...Hi Shilpi,<br /><br />I'm not sure what log details I can give you as there are no server errors - just intermittent behaviour in client browsers. If you can tell me what to log I'm happy to try.<br /><br />I have already raised a bug report: http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html#bugId=86494<br /><br />None of our apps use FORM or URL to pass CFID/TOKEN. We always use cookies which we set ourselves using cfcookie (with the domain/path attributes as you advised).<br /><br />Thanks.Julianhttps://www.blogger.com/profile/15072414528714052266noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-45995184553343153812011-03-09T23:04:25.198+05:302011-03-09T23:04:25.198+05:30I can also confirm this is still an issue.
See me...I can also confirm this is still an issue.<br /><br />See me post here:<br /><br />http://bit.ly/e8rXCIjhttps://www.blogger.com/profile/08387754521805587231noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-58998962557428244692011-03-09T20:18:16.220+05:302011-03-09T20:18:16.220+05:30Julian,
Another thing, Does your application pass...Julian, <br />Another thing, Does your application pass CFID/CFTOKEN values in FORM instead of using Cookies for Session?Shilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-20018138483062218872011-03-09T19:57:15.988+05:302011-03-09T19:57:15.988+05:30Hi Julian,
Can you please help us with some more ...Hi Julian,<br /><br />Can you please help us with some more details from logs about this error. Also some scenarios if there is anything particular. I would also request you if you can raise a bug.Shilpi Mitrahttps://www.blogger.com/profile/13683221740304662904noreply@blogger.comtag:blogger.com,1999:blog-6511332025931518473.post-7397582397778412992011-03-09T19:52:13.968+05:302011-03-09T19:52:13.968+05:30Shilpi, this update to the HotFix has not solved o...Shilpi, this update to the HotFix has not solved our problem. As soon as we applied the new version of the HF the same reports of lost sessions started coming in (see comments on your previous post).<br /><br />Rather than rolling back we added the JVM argument to switch off the Session Fixation fix, and this stopped the problem, but still leaves us vulnerable.Julianhttps://www.blogger.com/profile/15072414528714052266noreply@blogger.com