Coldfusion Session Fixation

Question

I need to reset the session identifier once user logs in to the application. But I have tried for several days, but still cannot reset jsessionid cookie and if it does, the server seems not recognize it. Could someone please provide some suggestion or some code examples?

Here is the code in login_action.cfm where login.cfm submit the form to: login form submit user credential to login_action.cfm. here is the code in login_action.cfm:

<cfcookie name="JSESSIONID" value="0" expires="now">
<cfif IsDefined('cookie.JSESSIONID')>
    <cfheader name="Set-Cookie" value="JSESSIONID=0;expires=#GetHttpTimeString(CreateODBCDateTime(now()))#;path=/;HTTPOnly;secure=true;">
</cfif>
<cfset structclear(session)>

<cfhttp url="loginverify.cfm" method="post" >
    <cfhttpparam name="username" value="#form.username#" type="formfield" ><cfhttpparam name="password" value="#form.password#" type="formfield" >
</cfhttp>
<cfset cookieval = "#MID(cfhttp.responseheader['set-cookie'][1], 12, findnocase(";", cfhttp.responseheader['set-cookie'][1])-13)#">
<cfheader name="Set-Cookie" value="#cfhttp.responseheader['set-cookie'][1]#">
<cfset cookie.jsessionid = cookieval>
<cflocation url="myfirstpage.cfm" addtoken="no">

here is the code to authenticate the user in loginverify.cfm:

<!--- authenticate users --->
<!--- if user passed--->
<cfset session.gooduser = true>
<cfset session.userpermission = 1>

but it seems the session variables defined in loginverify.cfm is not recognized in login_action.cfm

.

Any suggestion?

Thanks a lot.

Answer 1

An updated version of what you're trying to accomplish can be found at:

12Robots.com - Session token rotation REVISITED (wayback link)

However that has the issue of not cleaning up the extra sessions or carrying over any session data that you want to persist.

With session cleanup

You're not going to be able to log the user in and invalidate their session at the same time. You must invalidate their session and then in the next request, log them in. The basic flow would be something like:

1. Process login form and make sure the user is valid
2. Create a secure message containing the user credentials and session data to persist
3. Invalidate the session
4. Relocate the page to itself, with the secure message in the url
5. With the new session created for this page request, log the user in using the credentials from the secure message

Step 3 (invalidating the session) can be done as:

<cfscript>
    session.setMaxInactiveInterval(1);
    getPageContext().getSession().invalidate();
</cfscript>
<cfcookie name="jsessionid" expires="now">
<cfcookie name="cfid" expires="now">
<cfcookie name="cftoken" expires="now">

and then immediately redirect (cflocation) after that, making sure to have addtoken set to false.

You also need to make sure that the secure message is temporal and can't be used more than once. So you'll have additional database action on both sides of the redirect.

That will accomplish what you're after, but probably not as straight forward as you had hoped.

Simple alternate

Another method of preventing session fixation is to simply prevent step 2 in your reference from happening.

At the most simple, if you see jsessionid, cftoken or cfid in the url then cfabort the request. This must be done before the application "kicks in" and sets or processes client cookies. So in Application.cfm it would be done before cfapplication and in Application.cfc it would be done outside of any function (ie where you set "This.name").

You could take this further and strip out the session identifiers and cflocation to the safe url. This could also be done from the web server using mod_rewrite, et al, to stop ColdFusion from ever seeing the harmful url.

There are additional ways for that step 2 to happen, but all that come to mind require either your webserver or the users machine to be compromised, and if that's the case then session fixation is the least of either of your worries.

Answer 2

Just wanted to add an updated answer for this discussion. Since the last comments here, Adobe has addressed session fixation automatically within CF.

If you're on CF10, or if you install CF 9.0.2, that includes it.

If you are on 9.0.1 or less (back to 8.0) there is a security hotfix which add it: APSB11-04 (posted 2/8/2011 and updated 3/7/2011).

Note also that the technote for that fix ( http://helpx.adobe.com/coldfusion/kb/security-hotfix-coldfusion-8-8.html ) also mentions a workaround to disable the session fixation protection (and it would apply to those on 9.0.2 and 10 as well):

If you add the following JVM property, -Dcoldfusion.session.protectfixation=false, to the appropriate jvm.config for your CF instance (and restart), it will revert CF back to not adding the session fixation protection (which simply leaves your server as vulnerable to fixation attacks as it had always been).

Of course, most should want the protection, but as it does introduce some problems for some applications (not well-documented, sadly), just know that it is an option to turn it off, if needed.