JSessionID cookie being set with J2EE session variables option unchecked - coldfusion

I am running Coldfusion 10 Update 14 (10,0,14,291717).
Is it normal for the jsessionid cookie to be set when the "Use J2EE session variables" option is unchecked in the cfadmin.
It is being set in the response from a page that is posted to using a form with enctype set to multipart/form-data. It seems to happen with any form in our application if I change the enctype. That is the only time I see it being set. There could be other conditions that cause it to be set, but I haven't found any. It doesn't happen if the form has no enctype set. It also doesn't happen for get requests.
Should this cookie ever be set if the option is unchecked in the cfadmin?
Is it normal for it to only be set with this particular type of post request?
This happens on my development machine Mac OSX 10.9.5 and on our production server running Windows Server and IIS.
These are the response headers from the page that sets the cookie. The page does some form processing and then does a cflocation.
HTTP/1.1 302 Found
Date: Wed, 10 Dec 2014 20:42:21 GMT
Server: Apache/2.2.26 (Unix) DAV/2 mod_jk/1.2.32 mod_ssl/2.2.26 OpenSSL/0.9.8za
Set-Cookie: JSESSIONID=A61590143D1AD60644B208F25990F8FA.cfusion; Path=/; HttpOnly
Location: http://localhost/ethm/maintenanceForm/mrformv7/main.cfm?pid=home&BID=1995
Cache-Control: no-cache
Pragma: no-cache
Keep-Alive: timeout=5, max=49
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
More Information:
I updated my development cf to update 15 so the version is now 10,0,15,292620.
I created a new folder in my local site and put the following 2 files in the folder:
Application.cfc
component{
}
index.cfm
<form enctype="multipart/form-data" method="post" action="index.cfm">
<input type="submit" value="Go">
</form>
Then if I clear my cookies and go to that page I get no new cookies. If I submit the form I get a JSessionID cookie. I can clear it and I get a new one every time I submit the form. If I don't clear my cookies the same one stays.

We tested this for you Mat (Wil Genovese) on CF10 UPdate 15. According to Wil CF does not set J2EE session cookeies if they are disabled in the CF Admin. However if an existing j2ee session cookie exists from when they were anabled it will persist until it expires. Hopefully that helps a little.
FYI - this was not on OSX.
EDIT: More information
Further testing revealed the following Matt.
When you issue a POST using multipart/form-data this condition (a J2EE cookie set) will always occur. If you change your POST header to /application/x-www-form-urlencoded it will not be set. And a GET request will not allow it to be set.
Using this Application.cfc (adding or subtracting settings and names):
component
{
THIS.name = "je22test";
THIS.Sessionmanagement = true;
THIS.ApplicationTimeout = CreateTimeSpan(1,0,0,0);
THIS.SessionTimeout = createtimespan(0,0,20,0);
THIS.SetClientCookies = false;
}
...does not appear to have any effect. We are going to log it as a bug. I'm not sure the impact exactly. It might red flag a security scan - but you really should use rotating J2EE sessions anyway. Still, a scan might notice that it only rotates on a POST request. It would see it, then flag it (as an info warning probably) for not rotating. Not sure that's enough of a bug to fix or worry about, but lets see what Adobe says eh?

I just searched through the Adobe ColdFusion bug base and found this bug report
https://bugbase.adobe.com/index.cfm?event=bug&id=3430245
This is related to what we are seeing (if not the exact same thing) and it was "fixed" in CF10u14 and CF11u3.
However, I can verify the results you're getting, as Mark already posted, in CF10. So after I found the bug report I went and tested this in CF11u3 and found that with J2EE Session variables turned off CF11u3 always sets the jsessionid cookie.
I created a new bug report with my findings and linked to the old bug report and this forum page. However, I made the mistake of tagging it as a 'security bug' because session cookies not being properly set is technically a security issue and now it's not visible to anyone including me. That will teach me.
Regards,
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools

Related

ColdFusion: new cfid with every refresh

I updated a test server from ColdFusion 10 to ColdFusion 11 30 days Enterprise trail edition with update 7.
However, every time I hit refresh in my browsers, I get a new cfid.
As a result, a valid session is not found so the login page doesn't work.
I checked the session in coldfusion admin page and my cookie in my browsers, they are both created correctly.
This is what I have in my application.cfm
<CFAPPLICATION NAME="TESTWEB"
CLIENTMANAGEMENT="Yes"
SETCLIENTCOOKIES="Yes"
SESSIONMANAGEMENT="Yes"
SESSIONTIMEOUT = "#CreateTimeSpan(7,0,0,0)#"
SETDOMAINCOOKIES = "No">
However, when I open the page from the host computer, then the cfid doesn't get change everytime I hit refresh, so everything works.
Any idea what can cause my problem?
EDIT:
During login, I had code that set cfid/cftoken to cookie, but since I changed to SETCLIENTCOOKIES="Yes", I removed those code. The only other place would be in logout.
I am not using jsessionids, only coldFusion session id.
Timeout for all session variables is 7 days.
I have switched to using JEE session by enabling it in the ColdFusion admin. My session is now working.
I know this is an old question, but I'll leave this here to help others in case they've tried everything mentioned above and are still having issues.
Check your Cookie Samesite value.
If you've upgrading old apps to newer CF servers, to prevent Coldfusion from changing CFID and CFTOKEN on refresh or when you make an AJAX call referencing sessions or cookie variables - along with all the recommended settings stated by others above, check to following:
To set Cookie Samesite value at server level for CF 2016, 2018:
In the Coldfusion Admin Settings, Server Settings > Memory Variables > Session Cookie Settings, Set the "Cookie Samesite default value" to "-" or "LAX" (LAX is default value when NULL)
To set Cookie Samesite value at site level: For ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15
You may use the cfcookie tag.
For those on CF11 or older CF versions, you may set your response headers in IIS or Apache. I am assuming people with this issue (cfid and cftoken changing on refresh) is because they made a change to the samesite attribute and broke something. In that case, review how you've implemented SameSite Cookies and what you set that value to.
SameSite Cookies with IIS
SameSite cookies with Apache

Disappearing session cookie - django

I have a weird problem in one of my sites. The site uses Django, but I have no idea if this is a Django issue, or browser issue or something else.
Normally, when a user visits my site a browser-session cookie is set. Then, when the user decides to log in he may set the 'remember me' option which makes the cookie change into a fixed expiration cookie (1 week). I think it's a typical behaviour.
The problem is the session cookie sometimes disappears completely, or - what's even more strange - it's replaced by the older browser-session cookie.
I added a middleware in my app, to monitor all the requests and responses and log them into a file. This way I can give the following example:
user visits my site at 17:29:13 - my app sends back a cookie:
Set-Cookie: sessionid=o1idvjhnf2dgx0c1df7p7pyth1ya1byc; Path=/
then he logs in at 17:30:36 - again a new cookie is sent:
Set-Cookie: sessionid=bjjsxcqceghlx7521vikq3kob1d1fidy; expires=Wed, 18-Jun-2014 17:30:36 GMT; Max-Age=604800; Path=/
he actively spends some time on my website, and then, suddenly a request comes at 17:51:13 having sessionid cookie set to o1idvjhnf2dgx0c1df7p7pyth1ya1byc. All the other cookies (csrftoken, __utmXXX) remain unchanged. Only sessionid reverted back to the old value, which IMO should've been forgotten for a long time.
And from the user's POV he's been logged out.
As far as I can tell this problem occurs in various browsers - this one, above, was in Firefox, but I have a IE11 user complaining about this problem (losing session randomly).
As said above - the session cookie not always reverts back to browser-session cookie - sometimes it just disappears, while again all the remaining cookies (csrftoken etc) are left intact.
I can't reproduce this problem on my computer, so I ask here if you ever experienced any problem like this and can suggest any explanation.
I'm using Django 1.5, with mostly standard session settings except:
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

logging in to umbraco 6.1 backend doesn't work anymore, keep getting errors and redirect back to login.aspx page

after nog using the backend of our umbraco website for a few months I started developing for our website again. As the website was being used by some people, I decided to use a staging environment.
So I moved all my files and finally got the database also cloned.
But now whenever I try to login to the backend of umbraco (in the live and the staging environment) I get a javascript error in my firebug console:
{"Message":"The user has no umbraco contextid - try logging in","StackTrace":" at Umbraco.Web.Security.WebSecurity.ValidateCurrentUser(HttpContextBase httpContext, Boolean throwExceptions)\r\n at Umbraco.Web.Security.WebSecurity.AuthorizeRequest(HttpContextBase httpContext, Boolean throwExceptions)\r\n at Umbraco.Web.WebServices.UmbracoAuthorizedWebService.AuthorizeRequest(Boolean throwExceptions)\r\n at Umbraco.Web.WebServices.UmbracoAuthorizedWebService.AuthorizeRequest(String app, Boolean throwExceptions)\r\n at umbraco.presentation.webservices.TreeClientService.GetInitAppTreeData(String app, String treeType, Boolean showContextMenu, Boolean isDialog, TreeDialogModes dialogMode, String functionToCall, String nodeKey)","ExceptionType":"System.InvalidOperationException"}
As suggested in other posts, I delete my cookies and try again, but no luck.
I also get some other errors from time to time:
uiKeys is undefined
I uploaded my umbraco/config/lang folder using Binary, but I still get the error sometimes
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
I added this to my web.config
<pages enableEventValidation="false" validateRequest="false" viewStateEncryptionMode ="Never" />
and the error seems gone
I also got some error about synthax in the document type declaration at the start of the logout page which I get redirected to
I have been at this for several hours and can't seem to fix it.
Locally loggin in works.
Edit
I just did a fresh install of 6.1.6 and 6.1.5 and tried to logon but I still get the error:
http://staging.mydomaimn.com/umbraco/webservices/TreeClientService.asmx/GetInitAppTreeData 500 Internal server error:
{"Message":"The user has no umbraco contextid - try logging in","StackTrace":" at Umbraco.Web.Security.WebSecurity.ValidateCurrentUser(HttpContextBase httpContext, Boolean throwExceptions)\r\n at Umbraco.Web.Security.WebSecurity.AuthorizeRequest(HttpContextBase httpContext, Boolean throwExceptions)\r\n at Umbraco.Web.WebServices.UmbracoAuthorizedWebService.AuthorizeRequest(Boolean throwExceptions)\r\n at Umbraco.Web.WebServices.UmbracoAuthorizedWebService.AuthorizeRequest(String app, Boolean throwExceptions)\r\n at umbraco.presentation.webservices.TreeClientService.GetInitAppTreeData(String app, String treeType, Boolean showContextMenu, Boolean isDialog, TreeDialogModes dialogMode, String functionToCall, String nodeKey)","ExceptionType":"System.InvalidOperationException"}
This is on a fresh install that never had logins before
Perhaps the problem is with the database setup. My host uses MSSQL 2012 and I have two databases, the first is for the live version which is called 'myloginname' and the second is for the staging which is called 'myloginname_1'.
is the _1 a problem when placing the logon in the database (which I read Umbraco does)?
Edit 2
just looked in my database and Umbraco does create a contextId in the db table 'umbracoUserLogins' but does not create the cookie which should contain the same 'UMB_UCONTEXT'
so this is probably my real problem, what could be causing this?
Edit: some more info on this:
When I look in Fiddler I can see this:
On the 'Raw' tab:
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html;
charset=utf-8 Location: /umbraco/ Set-Cookie:
ASP.NET_SessionId=zjlqfoxq421wmnpeydcbxv1t; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=zjlqfoxq421wmnpeydcbxv1t; path=/;
HttpOnly Set-Cookie: UMB_UCONTEXT=694C3[...a lot of text...]CFDD5EDB;
expires=Tue, 12-Nov-2013 14:07:23 GMT; path=/; HttpOnly Date: Mon, 11
Nov 2013 14:07:23 GMT Content-Length: 126
The cookie tab shows:
Response sent 1318 bytes of Cookie data: Set-Cookie:
UMB_UCONTEXT=694C3[...a lot of text...]D5EDB; expires=Tue, 12-Nov-2013
14:07:23 GMT; path=/; HttpOnly This response did not contain a P3P
Header.
So we can conclude:
the expiration time and date are correct
there is a 302 error, but this seems to be for all cookies and the
other two mentioned are created (I'm confused about this)
perhaps the P3P headers are an issue?
I was able to fix this.
The reason why the UMB_UCONTEXT cookie wasn't created was that I fixed the error
Validation of viewstate MAC failed. If this application is hosted by a
Web Farm or cluster, ensure that configuration specifies the same
validationKey and validation algorithm. AutoGenerate cannot be used in
a cluster.
the wrong way. As How To Fix the: “Validation of viewstate MAC failed” Error (ASP.NET MVC) shows, I needed to create a random machinekey and add it to my web.config

Conflicting cookie results on Chrome

Below, Chrome shows a cookie on current page by viewing Inspect->Resources->Cookies, but why is there nothing by reading "document.cookie".
#EDIT
The cookie is firstly returned from the server via Set-Cookie: JSESSIONID=01E9...; Path=/myUrl/.
It's intended to remove the cookie on the client but fails. Probably the trailing "/" of the cookie path has caused this nasty issue.
#EDIT 2
The "problematic" cookie is set to HttpOnly by the server, so client scripting can neither change, remove nor read it. This resource protecting your cookies explains the reasons. BTW, Chrome devtools can do nothing more than either view or clear it.

Safari doesn't set Cookie but IE / FF does

I found a strange cookie problem on safari. If you surf to http://2much.ch you can enter with FF/IE and surf inside the site.
But if you use safari, you can enter only once; you can't surf inside the site. I found that Safari doesn't set the entered cookie, but FF/IE does.
What is wrong here?
It looks like you hit a Safari bug here; you are redirecting any visiting browser to /entry while setting the cookie at the same time, and Safari is ignoring the Set-Cookie header when encountering the 302 HTTP status:
$ curl -so /dev/null -D - http://4much.schnickschnack.info/
HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.61
Date: Sun, 19 Jul 2009 12:20:49 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 14260
Content-Language: de
Expires: Sat, 1 Jan 2000 00:00:00 GMT
Location: http://4much.schnickschnack.info/entry
Set-Cookie: colorstyle="bright"; Path=/; Expires=1248092449.12
Set-Cookie: _ZopeId="73230900A39w5NG7q4g"; Path=/
Technically, this would be a bug in Apple's Foundation Classes, I've found a WebKit bug that states this is the case.
I suppose the workaround is to set the cookie not in index_html but in entry instead.
In the intervening years since I first answered this question, this issue now appears solved, at least it was for Safari 6 when someone tested all major browsers for Set-Cookie support on 302 redirects in 2012.
A month ago, I ran into this issue. At first I thought it was a corrupted cookie jar as I could clean out the cookies and go.
However, it popped up again. This time I spent an hour going through it, watching what was sent, reviewing what safari sent back, and I found the problem.
In this case, I had an array of cookie values being sent to the browser after login prior to the redirect. The values looked something like 'user id', 'user full name', 'some other id', etc.
( yes, the id's are encrypted so no worries there )
My user full name was actually in a <lastname>, <firstname> format.
When safari was posting the cookie back to the server, everything after the comma after the lastname was dropped. It was only posting back values up to that point.
When i removed the comma the rest of the values started working just fine.
So it appears that if you send a cookie value that contains a comma, then safari doesn't properly escape that in it's internal storage. Which leads me to think that if they aren't properly escaping commas, then there are probably some security issues with safari's cookie handling code.
Incidentally, this was tested on Win 7 x64 with safari 4.0.5. Also I put up a web page at: http://cookietest.livelyconsulting.com/ which shows this exact problem.(I removed that test site)
IE, FF, and chrome all correctly set the cookie. safari does not.
Looks like this is no longer an issue. See http://blog.dubbelboer.com/2012/11/25/302-cookie.html
We've run into a very similar issue where Safari (v. 7.0.6) would ignore a cookie. The cookie header looked perfectly fine, almost identical to another cookie which was remembered.
It turned out that the culprit was the previous cookie header having a malformed expires value. Safari's handling of broken cookie headers is evidently not as robust as that of the other browsers.
I ran into same issue with Chrome. Chrome doesn't ignore the set-cookie header while you are redirecting, but you never know the order (set cookie first or redirect first). Here is something I have tried:
I have a website, which supports English and French. I implemented it (with php) this way:
localhost has a link to localhost/fr (which set-cookie to French and redirect to localhost). It works. (set cookie first)
localhost/path1 has a link to localhost/fr?return=/path1 (which set-cookie to French and redirect to localhost/path1). It doesn't work. (redirect first, the language didn't change)
localhost/path1 has a link to localhost/fr?return=www.google.com (which set-cookie to French and redirect to google). When I came back to my website again, it's in French. (which means set-cookie to French is not ignored, only executed after redirect)
Hope I make myself clear, English is a foreign language to me.
After a great deal of pain, I found out that Safari (15.3) actually does save and my cookie, but it never displayed in developer tools storage -> cookies, but it works fine.
Here's the cookie I create and return in a Netlify function.
const secureCookie = cookie.serialize('jwtToken', JSON.stringify(jwtToken), {
secure: process.env.CONTEXT !== 'dev',
domain: process.env.CONTEXT === 'dev' ? 'localhost' : '.domain.com',
httpOnly: true,
sameSite: true,
expires: new Date(Date.now() + (1000 * jwtToken.expires_in))
})
and netlify function return
return {
statusCode: 200,
headers: {
"Cache-Control": "no-cache",
},
multiValueHeaders: {
"Set-Cookie": [secureCookie],
},
body: JSON.stringify(body),
}