How to overwrite CFID/CFTOKEN in ColdFusion 10? - cookies

In order to logout an user, I always used the following lines:
<cfset structClear(SESSION)>
<cfcookie name="CFID" value="" expires="NOW">
<cfcookie name="CFTOKEN" value="" expires="NOW">
It clears the data kept in the session on runtime and resets/renews CFID and CFTOKEN.
It does still work on our old server (ColdFusion 8), but it does no longer work on our new server (ColdFusion 10). The reason this attempt fails in ColdFusion 10 is rather simple: Whenever I try to overwrite CFID or CFTOKEN (with <cfcookie>), the cookie is placed on the top domain, e.g.:
Cookie set via <cfcookie> on ColdFusion 10:
domain: .myserver.com
while ColdFusion places its session cookies on the actual (sub)domain:
Generated CFID/CFTOKEN by ColdFusion 10:
domain: mywebsite.myserver.com
The funny thing is: If I set something like:
<cfcookie name="TEST" value="..." expires="NEVER">
the cookie is correctly set with:
domain: mywebsite.myserver.com
And I can easily clear the cookie using:
<cfcookie name="TEST" value="" expires="NOW">
I tried to use the domain property, but this:
<cfcookie name="CFID" value="" domain="mywebsite.myserver.com" expires="NOW">
always ends up as:
domain: .mywebsite.myserver.com
(notice the dot in front) and thus is not recognized as the same cookie.
Another strange thing is, that using:
<cfcookie name="CFID" value="" expires="NOW">
will not just generate a cookie with the wrong domain, but is kept instead of deleted as expired.
I checked the server settings for cookies on the ColdFusion 10 machine and the property Disable updating ColdFusion internal cookies using ColdFusion tags/functions is not checked.
Can anyone help me with this strange case?

There has already been some in depth discussion about the behavior of <cfcookie> related to domains. The following posts mention that the workaround seems to be using <cfheader> to work with the cookies:
ColdFusion 10 CFCookie not honoring domain attribute
why doesn't cfcookie allow setting domain= to a subdomain for CFID/CFTOKEN?
After posting that question Henry actually entered a bug with Adobe on it:
https://bugbase.adobe.com/index.cfm?event=bug&id=3593673
You can add your comments/vote to the bug.
While I believe these references answer your questions regarding the <cfcookie> behavior that you are seeing, if you are only concerned with "expiring" the user's session then Scott's answer gives you a better way to invalidate the user's current session than manually setting the cookies.

In ColdFusion 10, you can use sessionInvalidate() to accomplish this. You will not need to worry about removing the cookies either.

Related

Using ColdFusion's SESSION scope in a subdomain - Internet Explorer behaviour

I've got a ColdFusion 9 application set up on a certain domain example.com,
and another one set up on a subdomain of it, subdomain.example.com.
On Application.cfc, both apps have session management enabled and host-specific (not domain-specific) cookies:
SessionManagement = true;
SetDomainCookies = false;
When using IE, the first visit to example.com will set a pair CFID;CFTOKEN. But it is a known behaviour that IE will send these cookies to all nested subdomains if the DOMAIN attribute of the cookie is not specified (Internet Explorer Cookie FAQ, Q3).
Unfortunately, this is the case with the SESSION scope. The following screenshot proves how the cookies sent to/from IE have no domain attribute set:
This is causing unexpected behaviour, as the application on subdomain.example.com will receive two different pairs of CFID and CFTOKEN (from both example.com and subdomain.example.com). ColdFusion will interpret this as an invalid answer from the browser and will generate a new pair of tokens, thus finishing the previous session.
One solution I can think of is replacing the functionality of SESSION with CFCOOKIE, always specifying the domain, eg. <cfcookie name="foo" value="bar" domain="#CGI.SERVER_NAME#" />
Any other solutions?
Or a way of specifying the domain for the cookies that the SESSION scope sets?

Coldfusion 9 cfscript cfcookie and cookie (script style)

I am trying to set my cookie CFIDE and CFTOKEN to be HTTPOnly in Coldfusion 9...
Here is what I have tried (didn't error but didn't work):
cookie.CFID = "#session.cfid#,httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#,httpOnly='true'";
I also tried (no go...and no error):
cookie.CFID = "#session.cfid#;httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#;httpOnly='true'";
And this (which I think only works in CF10):
cookie.CFID = {value="#session.cfid#", httpOnly="true"};
cookie.CFTOKEN = {value="#session.cftoken#", httpOnly="true"};
Then this (didn't error but didn't work):
cookie( name="CFID" value="#session.cfid#" httpOnly="true" );
cookie( name="CFTOKEN" value="#session.cftoken#" httpOnly="true" );
When I run these I do a empty cache hard reload in Chrome. When the page reloads I should see the Resources Cookies HTTPOnly column show check boxes.
I'm probably exhausted and could have hit the right combo of things above and I got a false positive on failure from jumping around too much. Sometimes cached things get the best of me.
I have the CFML container style that works but my Application.cfc is all script style and I want to keep it that way...So how do I do this script style in Coldfusion 9?
Update for my fix:
I used the getPageContex() below, but it didn't work as it was. Also onSessionStart() event handler changed to create the session.CFID and session.CFTOKEN with the CreateUUID() which is also new in my Application.cfc file. So for posterity here is what that block of code looks like.
function onSessionStart(){
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
}
Another Note: For some reason if the session is cleared and the onsessionstart() handler is requested this set cookie stuff above will fail. There has to be a try catch block or exception handling of some sort added to account for a reload problem. The best thing is to upgrade to a patched up release of Coldfusion 10 (or soon to be released CF 11).
You can use the PageContext object to set cookies in cfscript:
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
For session cookies, there's an easier way.
Enabling server-wide HttpOnly session cookies
The ColdFusion 9.0.1 update added a server-wide setting to add the
httponly attribute to all session cookies created by ColdFusion (such
as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To
enable this setting, if you are running a JRun J2EE installation or
multi-server installation, you must edit jvm.config, otherwise you can
enable this setting from the CF Administrator. If you are running a
J2EE server other than JRun consult your documentation for an
appropriate setting. J2EE servers that support the Servlet 3.0
specification can specify
true
in the /WEB-INF/web.xml file.
http://www.adobe.com/devnet/coldfusion/articles/coldfusion-securing-apps.html
You can use this code in your application.cfc inside of the onsessionstart function.
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">
There is no way of setting this inside of cfscripts. cfcookie is not supported in script form in cf9. There are flags in the application settings added to CF10 to address this issue, however, CF11 will have full support for it inside of scripts. Unfortunately, I think you will have to forego the uniform code for functionality. Unless you have access to your CFIDE/Administrator. You can add a java argument to turn it on server wide. Add this to your JVM config
-Dcoldfusion.sessioncookie.httponly=true
All of this is detailed here http://www.petefreitag.com/item/764.cfm

How do I secure CFID for PCI compliance?

We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin.
I don't really know why the CFID being predictable is a threat, but they want us to fix it.
I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do.
Has anyone else dealt with something like this? Any suggestions?
EDIT:Here is what my Application.cfc file looks like:
<cfcomponent output="false">
<cfset this.name="DatabaseOnline">
<cfset this.sessionManagement=true>
<cfset this.setDomainCookies=true>
<cfset this.setClientCookies=true>
<cfset this.sessionTimeOut=#CreateTimeSpan(0,20,0,0)#>
</cfcomponent>
And my CF admin looks like this: http://i.imgur.com/k9OZH.png
So how do I disable CFID?
Using J2EE session variables should address that problem.
To do that go to CF Administrator. Server Settings --> Memory Variables and check the 'Use J2EE session variables' check box.
You can find some more information here http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html
Explain to the scanning agent that the CFID is sequential, but is not valid without a corresponding CFTOKEN cookie which is randomized. Since the session cannot be hijacked with the ID alone, it mitigates the reason for the scan failure. Their automated test assumes that the CFID cookie controls the session on its own, which is not the case. Every scanning vendor that I've worked with has accepted this as a mitigating factor and either disabled or overridden that specific test for me on CF-based sites.
Alternately, if none of the sites on the CF server use session variables, you can disable session management entirely and CF won't issue the cookies at all. If they are needed, the above explanation of how CF sessions are managed should get you through.

Coldfusion uses wrong (cached?) variables at random

We have a dedicated server running CentOS and Coldfusion 8.
All cfmail email is routed through Google with cfmail and smtp.
Every now and then, when cfmail is used, the 'FROM' field uses an address from a totally different website.
For instance:
Use form on Site A
Get an email: "Subject: On Site A From: siteb#siteb.com"
Where the from is a completely different variable in another set of code on another part of the server- there is no reason it should see this.
On the other side, sometimes sending an email to sitea#sitea.com has email wind up in Site B inbox, a completely different Google account.
What causes this to happen? Some kind of memory/cache issue? Or is there a funky DNS record causing issue?
Example:
Application.cfm (starts with some UDF includes, and then):
<cfinvoke component="#request.componentPath#.variables" method="getGlobal" />
Variables.cfc (a lot of variables defined within, but here is the cfmail vars):
<cffunction name="getGlobal" access="public" output="false" returntype="void">
<cfscript>
request.siteEmail = "email#mysite.com";
request.siteMailServer = "smtp.gmail.com";
request.siteMailUsername = "root#mysite.com";
request.siteMailPassword = "[redacted]";
</cfscript>
</cffunction>
It sounds like it's possible it could be a var scoping issue, but we can't know for sure until you share some code...
Looks like you're running multiple sites? there's a setting in the CF caching page in admin to do with caching web server paths:
From http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WSc3ff6d0ea77859461172e0811cbf3638e6-7ffc.html :
Disabling the cacheRealPath attribute To ensure that ColdFusion always returns pages from the correct server, disable Cache Web Server Paths in the Caching page of the ColdFusion Administrator. (When you use the multiserver configuration, set the cacheRealPath attribute to false for the ProxyService in the jrun_root/servers/servername/SERVER-INF/jrun.xml file.)
Might not be it, but it's at least quick to try out.

Forcing HttpOnly cookies with JRun/ColdFusion

We need to ensure that all cookies on a CF7 site are set as HttpOnly.
We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly.
Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start.
Any suggestions?
Related Question: Setting Secure flag for HTTPS cookies.
From: http://www.petefreitag.com/item/764.cfm
Running CF 8 or Lower and using Application.cfc
<cfcomponent>
<cfset this.sessionmanagement = true>
<cfset this.setclientcookies = false>
<cffunction name="onSessionStart">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cffunction>
<cfcomponent>
Make sure you have setclientcookies = false specified.
If Using Application.cfm
If you are still using an Application.cfm file, you can use the following:
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken")>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
First, a warm welcome to all PCI DSS refugees! Appscan, Webinspect, Hailstorm and NTOSpider fugitives are also invited. Take a seat right over here, I have cake for you:
While too late for Peter, it is in fact possible to have JRun generate HTTPOnly (and secure) cookies from the start as he asked. Look for the jrun-web.xml file. It will probably be in a directory like
C:\JRun4\servers\servername\cfusion-ear\cfusion-war\WEB-INF\.
You have to add the following to the cookie-config section:
<cookie-config>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If your site is HTTPS, you should also enable the secure cookie option. But be careful, its server wide, not application specific. So it may not be suitable for your shared environment:
<cookie-config>
<cookie-secure>true</cookie-secure>
<cookie-path>/;HttpOnly</cookie-path>
</cookie-config>
If you are not stuck in MX7 or CF8, there is an official setting for this in CF9.01 Dcoldfusion.sessioncookie.httponly
I've tested this on ColdFusion MX7 and it works as expected. Dodged Appscan I did.
The goal is for the first request to be secure (and pass the scanning), so if this post covers that then it will solve the problem.
Correct me if I'm wrong, but it sounds like you need to redirect to HTTPS if a request comes in over HTTP. Can you not catch this with a URL rewriting rule, before the request is sent to ColdFusion at all?