ColdFusion: new cfid with every refresh - coldfusion

I updated a test server from ColdFusion 10 to ColdFusion 11 30 days Enterprise trail edition with update 7.
However, every time I hit refresh in my browsers, I get a new cfid.
As a result, a valid session is not found so the login page doesn't work.
I checked the session in coldfusion admin page and my cookie in my browsers, they are both created correctly.
This is what I have in my application.cfm
<CFAPPLICATION NAME="TESTWEB"
CLIENTMANAGEMENT="Yes"
SETCLIENTCOOKIES="Yes"
SESSIONMANAGEMENT="Yes"
SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"
SETDOMAINCOOKIES = "No">
However, when I open the page from the host computer, then the cfid doesn't get change everytime I hit refresh, so everything works.
Any idea what can cause my problem?
EDIT:
During login, I had code that set cfid/cftoken to cookie, but since I changed to SETCLIENTCOOKIES="Yes", I removed those code. The only other place would be in logout.
I am not using jsessionids, only coldFusion session id.
Timeout for all session variables is 7 days.

I have switched to using JEE session by enabling it in the ColdFusion admin. My session is now working.

I know this is an old question, but I'll leave this here to help others in case they've tried everything mentioned above and are still having issues.
Check your Cookie Samesite value.
If you've upgrading old apps to newer CF servers, to prevent Coldfusion from changing CFID and CFTOKEN on refresh or when you make an AJAX call referencing sessions or cookie variables - along with all the recommended settings stated by others above, check to following:
To set Cookie Samesite value at server level for CF 2016, 2018:
In the Coldfusion Admin Settings, Server Settings > Memory Variables > Session Cookie Settings, Set the "Cookie Samesite default value" to "-" or "LAX" (LAX is default value when NULL)
To set Cookie Samesite value at site level: For ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15
You may use the cfcookie tag.
For those on CF11 or older CF versions, you may set your response headers in IIS or Apache. I am assuming people with this issue (cfid and cftoken changing on refresh) is because they made a change to the samesite attribute and broke something. In that case, review how you've implemented SameSite Cookies and what you set that value to.
SameSite Cookies with IIS
SameSite cookies with Apache

Related

Cookies not showing httponly and secure even though settings in web.config are set

We have a site that uses first party and third party cookies. Security has pointed out that several of our cookies are not httponly and not secure. After looking the web.config file I see this:
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
Hitting the site and using Google Dev Tools shows the cookies are still not marked as httpOnly or secure.
Shouldnt this setting force all first party cookies to be rendered as httpOnly and Secure? Or am I missing something? Any reason these cookies would not be httpOnly/secure? I also set this via IIS at the server level, but no change in the cookie's status.

How to secure ColdFusion cookies with HTTPOnly/ Secure attribute?

I am trying to help a company who is experiencing an issue with their ColdFusion website. The issue is a PCI scan failure due to "insecure cookies with HTTPOnly/ Secure Flag attributes".
Previously I fixed this error for 3 other cookies: JSESSIONID, CFID, CFTOKEN by editing the web.xml file; however, this time the issue is apparently with a session cookie created inside of the Application.cfm.
To be specific:
<cfapplication name="testname" sessionmanagement="Yes"
loginStorage="session" CLIENTMANAGEMENT="YES"
SESSIONTIMEOUT=#CreateTimeSpan(0,0,30,0)#>
So far I have tried following the CFApplication.html from Adobe (https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html) to fix this, but have not had any luck. Any assistance or guidance is appreciated in fixing this matter. Thank you in advance!
Do you have access to the ColdFusion administrator for these sites? In the Server Settings-->Memory Variable section are universal settings for the session cookies: HTTPOnly and Secure Only. Make sure those are turned on.
In addition, do the sites use the CFCOOKIE tag. Make sure those tags are setting the 'secure' and 'httponly' attributes to TRUE.
Last, are the sites declaring COOKIE scoped vars in any CFPARAM tags/calls? If so, those will set cookies and are not secure and there is no setting I've found to make them so.

Setting JupyterHub SameSite Cookie Attribute

I have jupyterhub(TLJH) running on my AWS. It is served on my site using an iframe. Since the latest chrome update, the "SameSite" cookie attribute is causing the following issue. The below image shows what I see in the Iframe
Given below is the warning I get in my console:
A cookie associated with a cross-site resource at http://www._____.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
When I disable the SameSite attribute in chrome://flags/, the iframe loads perfect.
I understand that I need to edit my cookie settings to add {SameSite=None; Secure} somewhere in jupyterhub, but I don't know where.
It looks to me as if you may be able to use the cookie_options setting to add SameSite=None; Secure to the cookies, but I am not 100% sure.
I've raised https://github.com/jupyterhub/jupyterhub/issues/3117 to ask the team to validate.
I could make it work only by making my server map to a subdomain. For example, say the main website which has the Iframe embed is www.mydomain.com, I had to map my Jupyter server to "subdomain.mydomain.com" to make it work.
It is obvious that the above approach was possible because the page I was trying to embed was owned by me. Hoping for an answer for the other scenario!
You can use jupyterhub proxy give your server a domain name like "http:***.mydomain.com" .But this must be subdomain of your site("http://www._____.com/")

JSessionID cookie being set with J2EE session variables option unchecked

I am running Coldfusion 10 Update 14 (10,0,14,291717).
Is it normal for the jsessionid cookie to be set when the "Use J2EE session variables" option is unchecked in the cfadmin.
It is being set in the response from a page that is posted to using a form with enctype set to multipart/form-data. It seems to happen with any form in our application if I change the enctype. That is the only time I see it being set. There could be other conditions that cause it to be set, but I haven't found any. It doesn't happen if the form has no enctype set. It also doesn't happen for get requests.
Should this cookie ever be set if the option is unchecked in the cfadmin?
Is it normal for it to only be set with this particular type of post request?
This happens on my development machine Mac OSX 10.9.5 and on our production server running Windows Server and IIS.
These are the response headers from the page that sets the cookie. The page does some form processing and then does a cflocation.
HTTP/1.1 302 Found
Date: Wed, 10 Dec 2014 20:42:21 GMT
Server: Apache/2.2.26 (Unix) DAV/2 mod_jk/1.2.32 mod_ssl/2.2.26 OpenSSL/0.9.8za
Set-Cookie: JSESSIONID=A61590143D1AD60644B208F25990F8FA.cfusion; Path=/; HttpOnly
Location: http://localhost/ethm/maintenanceForm/mrformv7/main.cfm?pid=home&BID=1995
Cache-Control: no-cache
Pragma: no-cache
Keep-Alive: timeout=5, max=49
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
More Information:
I updated my development cf to update 15 so the version is now 10,0,15,292620.
I created a new folder in my local site and put the following 2 files in the folder:
Application.cfc
component{
}
index.cfm
<form enctype="multipart/form-data" method="post" action="index.cfm">
<input type="submit" value="Go">
</form>
Then if I clear my cookies and go to that page I get no new cookies. If I submit the form I get a JSessionID cookie. I can clear it and I get a new one every time I submit the form. If I don't clear my cookies the same one stays.
We tested this for you Mat (Wil Genovese) on CF10 UPdate 15. According to Wil CF does not set J2EE session cookeies if they are disabled in the CF Admin. However if an existing j2ee session cookie exists from when they were anabled it will persist until it expires. Hopefully that helps a little.
FYI - this was not on OSX.
EDIT: More information
Further testing revealed the following Matt.
When you issue a POST using multipart/form-data this condition (a J2EE cookie set) will always occur. If you change your POST header to /application/x-www-form-urlencoded it will not be set. And a GET request will not allow it to be set.
Using this Application.cfc (adding or subtracting settings and names):
component
{
THIS.name = "je22test";
THIS.Sessionmanagement = true;
THIS.ApplicationTimeout = CreateTimeSpan(1,0,0,0);
THIS.SessionTimeout = createtimespan(0,0,20,0);
THIS.SetClientCookies = false;
}
...does not appear to have any effect. We are going to log it as a bug. I'm not sure the impact exactly. It might red flag a security scan - but you really should use rotating J2EE sessions anyway. Still, a scan might notice that it only rotates on a POST request. It would see it, then flag it (as an info warning probably) for not rotating. Not sure that's enough of a bug to fix or worry about, but lets see what Adobe says eh?
I just searched through the Adobe ColdFusion bug base and found this bug report
https://bugbase.adobe.com/index.cfm?event=bug&id=3430245
This is related to what we are seeing (if not the exact same thing) and it was "fixed" in CF10u14 and CF11u3.
However, I can verify the results you're getting, as Mark already posted, in CF10. So after I found the bug report I went and tested this in CF11u3 and found that with J2EE Session variables turned off CF11u3 always sets the jsessionid cookie.
I created a new bug report with my findings and linked to the old bug report and this forum page. However, I made the mistake of tagging it as a 'security bug' because session cookies not being properly set is technically a security issue and now it's not visible to anyone including me. That will teach me.
Regards,
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools

Coldfusion 9 cfscript cfcookie and cookie (script style)

I am trying to set my cookie CFIDE and CFTOKEN to be HTTPOnly in Coldfusion 9...
Here is what I have tried (didn't error but didn't work):
cookie.CFID = "#session.cfid#,httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#,httpOnly='true'";
I also tried (no go...and no error):
cookie.CFID = "#session.cfid#;httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#;httpOnly='true'";
And this (which I think only works in CF10):
cookie.CFID = {value="#session.cfid#", httpOnly="true"};
cookie.CFTOKEN = {value="#session.cftoken#", httpOnly="true"};
Then this (didn't error but didn't work):
cookie( name="CFID" value="#session.cfid#" httpOnly="true" );
cookie( name="CFTOKEN" value="#session.cftoken#" httpOnly="true" );
When I run these I do a empty cache hard reload in Chrome. When the page reloads I should see the Resources Cookies HTTPOnly column show check boxes.
I'm probably exhausted and could have hit the right combo of things above and I got a false positive on failure from jumping around too much. Sometimes cached things get the best of me.
I have the CFML container style that works but my Application.cfc is all script style and I want to keep it that way...So how do I do this script style in Coldfusion 9?
Update for my fix:
I used the getPageContex() below, but it didn't work as it was. Also onSessionStart() event handler changed to create the session.CFID and session.CFTOKEN with the CreateUUID() which is also new in my Application.cfc file. So for posterity here is what that block of code looks like.
function onSessionStart(){
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
}
Another Note: For some reason if the session is cleared and the onsessionstart() handler is requested this set cookie stuff above will fail. There has to be a try catch block or exception handling of some sort added to account for a reload problem. The best thing is to upgrade to a patched up release of Coldfusion 10 (or soon to be released CF 11).
You can use the PageContext object to set cookies in cfscript:
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
For session cookies, there's an easier way.
Enabling server-wide HttpOnly session cookies
The ColdFusion 9.0.1 update added a server-wide setting to add the
httponly attribute to all session cookies created by ColdFusion (such
as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To
enable this setting, if you are running a JRun J2EE installation or
multi-server installation, you must edit jvm.config, otherwise you can
enable this setting from the CF Administrator. If you are running a
J2EE server other than JRun consult your documentation for an
appropriate setting. J2EE servers that support the Servlet 3.0
specification can specify
true
in the /WEB-INF/web.xml file.
http://www.adobe.com/devnet/coldfusion/articles/coldfusion-securing-apps.html
You can use this code in your application.cfc inside of the onsessionstart function.
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">
There is no way of setting this inside of cfscripts. cfcookie is not supported in script form in cf9. There are flags in the application settings added to CF10 to address this issue, however, CF11 will have full support for it inside of scripts. Unfortunately, I think you will have to forego the uniform code for functionality. Unless you have access to your CFIDE/Administrator. You can add a java argument to turn it on server wide. Add this to your JVM config
-Dcoldfusion.sessioncookie.httponly=true
All of this is detailed here http://www.petefreitag.com/item/764.cfm