Just wondering if anyone has come across an issue in CF10 whereby sessions are dropped when crossing between subdomains for the same Application under HTTPS, even though the JSESSIONID is being explicitly passed in these links which had worked for us for over 5 years without fail prior to CF10. From what I have read there appears to be a big change to address the Session Fixation security issues in CF10 which explains why the sessions would drop jumping between HTTP and HTTPS but this doesn't explain my issue. I understand the Session Fixation changes introduced in CF 9.02 and CF will definitely have an impact on our passing JSESSIONID via the URL, however this behaviour has been removed still the session is dropping.
Essentially we have CF10 installed with J2EE Session Management turned on, and the default HTTPOnly set to true. This is a single CF Application with the same Application name, setClientCookies is false and in the application the domain structure looks as follows:
https://book.domain.com
https://profile.domain.com
https://approve.domain.com
When crossing between the domains (which had worked for many years prior) the session drops and CF issues a new set of session identifiers.
Even setting a cookie in the onSessionStart() as follows has no effect:
<cfcookie name="jsessionid" value="#session.sessionid#" domain=".domain.com" secure="true">
Has anyone come across this behaviour migrating to CF10?
Cheers
Phil
So after playing around with a number of settings and ideas I now have the sessions behaving across the subdomains mentioned in my original question over HTTPS and using secure (browser based) cookies, thereby satisfying PCI-DSS Compliance requirements. All passing of JSESSIONID via the URL was removed from the system and the following lines added into the Application.cfc for both the constructors and the onSessionStart(). Note the setDomainCookies and setClientCookies set to false and the Domain specific sessioncookie settings below and also note in the onSessionStart my cookie being set without an expiry to ensure it only lasts for the duration of the browser, and the new CF10 encodeValue attribute to prevent strange encoding issues with the cookie values:
<cfcomponent hint="Application" output="false">
<cfscript>
// Application Settings
this.name = "myApplication";
this.applicationTimeout = createTimeSpan(0,2,0,0);
this.clientManagement = false;
this.loginStorage = "session";
this.sessionManagement = true;
this.sessionTimeout = createTimeSpan(0,1,0,0);
this.setClientCookies = false;
this.setDomainCookies = false;
// Domain specific settings for session persistence over subdomains
this.sessioncookie.domain = '.domain.com';
this.sessioncookie.httponly = true;
</cfscript>
<cffunction name="onSessionStart" returnType="void" output="false">
<cfcookie name="jsessionid" value="#session.sessionid#" secure="true" domain=".domain.com" encodeValue="false">
</cffunction>
</cfcomponent>
Related
I am using Railo - CFML and it seems that it is not using application.cfc/.cfm because I have deleted those from the folder and it worked just the same. With that being said.
I am trying to force cookies to be deleted when I someone logs out of my application. Some how the information is being restored after I have forced the information in the cookie to be changed.
I have physically deleted the cookie and it forces a CFID update. However, that's the only time that I have been able to get a CFID change. I have looked more into the cookie and using my web developer toolkit, the cookie is set to expire in 2045.
I have searched on here for hours looking for methods to work and I can tell you so far they work on other projects that I have worked on but for some reason I cannot get it to work on this current project. Just a heads up, I am the 15th programmer on this site.
Here is some of the code that I am working with:
<cfcookie
name="CFID"
value="Dead"
expires="NOW">
<cfcookie
name="cfid"
value="Dead"
expires="NOW">
<cfset structClear( session ) />
<cfset delete_cookie=StructDelete(cookie,"CFID")>
<cfcookie name="CFID" value="0" expires="Thu, 01-Jan-70 00:00:01 GMT">
<cfoutput>Cookie Deleted: #delete_cookie#<br /></cfoutput>
<cfset delete_cookie=StructDelete(cookie,"cfid")>
<cfcookie name="cfid" value="0"expires="Thu, 01-Jan-70 00:00:01 GMT">
<cfset delete_cookie_ga=StructDelete(cookie,"_ga")>
<cfcookie name="_ga" value="0"expires="Thu, 01-Jan-70 00:00:01 GMT">
<!--- Redirect back to index page. --->
<!----<cflocation
url="/"
addtoken="false"
/>--->
<cfdump var=#cookie#>
Here is what I am getting:
Before I use that code.
Scope
_ga string GA###########
cfid string (random letters & numbers)
cftoken string 50
After I use that code I get:
Scope
_ga string 0
cfid string 0
cftoken string 50
This is me trying 2 different ways to get the job done.
However, after I run this and look at my cookies for my site, I still see the CFID with an expiration of 2045.
Your code works fine for manipulating the cookie values on Railo. It appears Railo is performing session management tasks after the code has completed, and is setting the cfid cookies back.
Even if you could change the cfid cookie value, the existing session would still exist. Those that can view the session with the cfid in a url would still be able to use the corresponding session until it naturally times out. To invalidate a session in Railo 4 or higher you can use the SessionInvalidate() function. This function will update the clients cfid, and force the current session to expire.
Without knowing more about your application, I’m unsure if invalidating the session will resolve the security issues you have been working on.
After further research I have found that my Railo Server admin had the sessions to time out after 90 days. This has been changed and the sessions expire after 20 mins. So if you use railo make sure that you update web admin and not just server admin. Lesson learned. Thanks everyone. Also a HUGE thank you to Ben Nadel for helping with this problem!
Using latest version of cakephp v2.3.3
I have a problem with my session variables when a browser doesn't allow cookies.
I pass variables from one controller to the other and this works perfect as long as the browser has cookies enabled. I have tried it with the Session helper in the controllers, but no effort, same problem.
How to fix this, is there a work around???
Cookies are required to keep track of the session ID, but you can manually get or set the session ID using $this->Session->id(). By adding the code below to the App Controllers' before filter you can set the session ID as a URL paramter like http://example.com/posts/view/1?session=qkv108c2pqeubcpeos1q7ekds3, for example.
if (!empty($this->request->query['session'])) {
$this->Session->id($this->request->query['session']);
}
The session ID is required for every request which means you have to include it in every link. I would suggest extending the HTML helpers' url and link methods to automatically add it.
Edit:
You should verify that $this->Session->read('Config.userAgent'); or $this->request->clientIp(); has not changed since the user was authenticated to prevent session hijacking. Thanks to thaJeztah for pointing this out.
due to the fact that my users have configured their sessions to reopen each time they reopen their firefox browser. the 'session' cookies come back.
but my website needs fresh authentication if the session cookie is not present or 24 hours old. so I am having this problem of needing to manually remove the expired cookies each time i reopen browser after 24 hours.
to combat this, i tired to put a 'Logout' link on my page which should have helped me. but unfortunately it is not helping...
i tried below code to remove the cookies, but it seems it does not remove the cookies from the sqilte table in which firefox stores its cookies. After the following code is run, cookies reappear.. (or are they not getting removed???) how can i achieve that?
code:
function Delete_Cookie( name, path, domain )
{
document.cookie=name+"="+((path) ? ";path="+path:"")+((domain)?";domain="+domain:"")+";expires=Thu, 01 Jan 1970 00:00:01 GMT";
}
$("#Logout").click(function() {
Delete_Cookie('SecOne','/','.mydomain.com');
Delete_Cookie('SecTwo','/','.mydomain.com');
alert("Bye");
});
Although I can't say for certain what the problem is, there are a few possibilities:
The domain name could be wrong.
You could write a test delete line that doesn't use the path and domain names and see if it works then. If the cookies get deleted after that change, then it's the string you made for the delete line, or the parameters that are passed in that are wrong.
Also, perhaps it is possible another section of your code is causing the cookies to reappear. Check to see if there's any other cookie setting things that get called after this is.
Or maybe the page needs reloaded in order for the cookies to disappear
If the cookie is HttpOnly cookie, it is not able to read/delete from HTTPS secured webpage. If the cookie is normal one, below functionality can be used for delete cookie.
function deleteCookie(keyName){
var allcookies = document.cookie, i, cookiearray = null, name = null;
cookiearray = allcookies.split(';');
for (i = 0; i < cookiearray.length; i++) {
name = cookiearray[i].split('=')[0].trim();
if (name === keyName) {
document.cookie = name + '=000;expires=Thu, 1 Jan 1970 00:00:00 UTC; path=/';
}
}
}
Note: Session cookies are not able to delete even browser is getting closed. This is known bug in chrome browsers. Refer below link
Cookie issue in chrome
I know this is an old thread but I was having the same problem as I kept trying to set a cookie with a time in the past, thinking it would expire and not show in FF cookie manager.
Setting the cookie to expire in the future but having a blank value got rid of it. Not sure why.
setcookie(mycookie,"", time()+5000,'/');
Using FireFox v40.0.3
Seems there have been a few bugs logged with Firefox and it's handling of cookie expiration.
I need to reset the session identifier once user logs in to the application. But I have tried for several days, but still cannot reset jsessionid cookie and if it does, the server seems not recognize it. Could someone please provide some suggestion or some code examples?
Here is the code in login_action.cfm where login.cfm submit the form to:
login form submit user credential to login_action.cfm. here is the code in login_action.cfm:
<cfcookie name="JSESSIONID" value="0" expires="now">
<cfif IsDefined('cookie.JSESSIONID')>
<cfheader name="Set-Cookie" value="JSESSIONID=0;expires=#GetHttpTimeString(CreateODBCDateTime(now()))#;path=/;HTTPOnly;secure=true;">
</cfif>
<cfset structclear(session)>
<cfhttp url="loginverify.cfm" method="post" >
<cfhttpparam name="username" value="#form.username#" type="formfield" ><cfhttpparam name="password" value="#form.password#" type="formfield" >
</cfhttp>
<cfset cookieval = "#MID(cfhttp.responseheader['set-cookie'][1], 12, findnocase(";", cfhttp.responseheader['set-cookie'][1])-13)#">
<cfheader name="Set-Cookie" value="#cfhttp.responseheader['set-cookie'][1]#">
<cfset cookie.jsessionid = cookieval>
<cflocation url="myfirstpage.cfm" addtoken="no">
here is the code to authenticate the user in loginverify.cfm:
<!--- authenticate users --->
<!--- if user passed--->
<cfset session.gooduser = true>
<cfset session.userpermission = 1>
but it seems the session variables defined in loginverify.cfm is not recognized in login_action.cfm
.
Any suggestion?
Thanks a lot.
Just wanted to add an updated answer for this discussion. Since the last comments here, Adobe has addressed session fixation automatically within CF.
If you're on CF10, or if you install CF 9.0.2, that includes it.
If you are on 9.0.1 or less (back to 8.0) there is a security hotfix which add it: APSB11-04 (posted 2/8/2011 and updated 3/7/2011).
Note also that the technote for that fix ( http://helpx.adobe.com/coldfusion/kb/security-hotfix-coldfusion-8-8.html ) also mentions a workaround to disable the session fixation protection (and it would apply to those on 9.0.2 and 10 as well):
If you add the following JVM property, -Dcoldfusion.session.protectfixation=false, to the appropriate jvm.config for your CF instance (and restart), it will revert CF back to not adding the session fixation protection (which simply leaves your server as vulnerable to fixation attacks as it had always been).
Of course, most should want the protection, but as it does introduce some problems for some applications (not well-documented, sadly), just know that it is an option to turn it off, if needed.
An updated version of what you're trying to accomplish can be found at:
12Robots.com - Session token rotation REVISITED (wayback link)
However that has the issue of not cleaning up the extra sessions or carrying over any session data that you want to persist.
With session cleanup
You're not going to be able to log the user in and invalidate their session at the same time. You must invalidate their session and then in the next request, log them in. The basic flow would be something like:
Process login form and make sure the user is valid
Create a secure message containing the user credentials and session data to persist
Invalidate the session
Relocate the page to itself, with the secure message in the url
With the new session created for this page request, log the user in using the credentials from the secure message
Step 3 (invalidating the session) can be done as:
<cfscript>
session.setMaxInactiveInterval(1);
getPageContext().getSession().invalidate();
</cfscript>
<cfcookie name="jsessionid" expires="now">
<cfcookie name="cfid" expires="now">
<cfcookie name="cftoken" expires="now">
and then immediately redirect (cflocation) after that, making sure to have addtoken set to false.
You also need to make sure that the secure message is temporal and can't be used more than once. So you'll have additional database action on both sides of the redirect.
That will accomplish what you're after, but probably not as straight forward as you had hoped.
Simple alternate
Another method of preventing session fixation is to simply prevent step 2 in your reference from happening.
At the most simple, if you see jsessionid, cftoken or cfid in the url then cfabort the request. This must be done before the application "kicks in" and sets or processes client cookies. So in Application.cfm it would be done before cfapplication and in Application.cfc it would be done outside of any function (ie where you set "This.name").
You could take this further and strip out the session identifiers and cflocation to the safe url. This could also be done from the web server using mod_rewrite, et al, to stop ColdFusion from ever seeing the harmful url.
There are additional ways for that step 2 to happen, but all that come to mind require either your webserver or the users machine to be compromised, and if that's the case then session fixation is the least of either of your worries.
My logout does not seem to work.
I clear cookies like that:
foreach (Cookie cookie in _session.Cookie.GetCookies(new Uri(Session.ServerSecureURL + "/Login", UriKind.Absolute)))
{
cookie.Discard = true;
cookie.Expired = true;
}
But next time I try to login, I get the previous user's session, even though, I verified, and in the web request I see a new cookie.
Anyone had similar problems with cookies?
I Found the problem. It was not Cookie related after all.
I used wireshark to see what is sent to the server, and found out that after i logout there is only one call to the server, the one that logs me back in, but no calls to retrieve the data are made. Apparently WP7 retrieves me the old data from previous session from cache. I fixed that by adding a random data to the end of my url, and now it works perfectly. I'm still wondering what is the right way to control caching on WP7.
This:-
new Uri(Session.ServerSecureURL + "/Login", UriKind.Absolute)))
Looks a little suspect to me. I would expect it to be:-
new Uri(Session.ServerSecureURL + "/", UriKind.Absolute)))
Ordinarily cookes set in a folder (like "Login") would still have the path "/", since its usually intended that the cookies be available to the whole application.