|
Coldfusion dropping session ID in fusebox application |
||||||||
I recently rolled out beta version of a new application I've been writing, only to discover that there was a bizarre session problem that didn't exist in dev, but does in live.
I've worked it out, but I thought I'd explore it some more. It is a fusebox 5.5 non xml application. The error I had was that as soon as I made a call through a "new" circuit, IE one I hadn't called before ColdFusion would generate a new session ID, and thus invalidate my current active session.
Looking through my application CFC I had this line of code present.
Setting this to true fixed the issue. This is because ColdFusion relies on the CFID and CFTOKEN to maintain the session state. You can either pass these two variables through the URL on every page request, which is a bit messy, or you can use a cookie. It is the variable above that lets the application use cookies on the user's session.
The problem with setClientCookies is that it is persistent, IE it is built for that session, and left on the user's pc, even after the session has expired, or they have left the application. Also some users will accept per-session cookies, but not persistent session cookies.
They are a lot more secure as per-session cookies, as they cannot be duplicated and hacked to spoof a previous user's session, and if you pass the token through the URL it is easy changed.
You could put something like this in your onRequestend function in application.cfc
2IsDefined("Cookie.CFTOKEN")>
3<cfset cfid_local = Cookie.CFID>
4<cfset cftoken_local = Cookie.CFTOKEN>
5<cfcookie name="CFID" value="#cfid_local#">
6<cfcookie name="CFTOKEN" value="#cftoken_local#">
7</cfif>
This will make them per-session. I originally thought that it was something to do with the Fusebox framework, but I had overlooked the simple fact that it was still a new page request, so would be lost. Although this doesn't explain why I wasn't getting this error in my development environment but did in live.
I'm glad people are looking more at session management and token cookie security. This is great stuff and is of great interest to me(as anyone in #ColdFusion on IRC will tell you).
I do have to point out a few things. I think these will improve your understanding of session management and improve your experience with this project.
1. As John Whish points out, there is a technote on the subject of making the CFID and CFToken cookie non-persistent. I will elaborate. You can still use this.setClientCookies=false as you were before, but instead of writing new cookies at the end of each request, you can simply write the cookies once in your onSessionStart() method. Using <cfcookie> just as you have, but use the CFID and CFToken values out of the session scope instead of out of the cookie scope. Then, by leaving off the expires= attribute, you are making them non-persistent cookies.
2. You stated: "They are a lot more secure as per-session cookies, as they cannot be duplicated and hacked to spoof a previous user's session..." This is not true. Non-persistent cookies can still be used to hijack a user's session. The way that non-persistent cookies make the experience more secure is that after the browser closes, the cookies are lost as they were stored in memory instead of persisted to the user's machine. If the session token is compromised, the session can still be hijacked up until the time that the session times out on the server, even after the user closes the browser. This is why it is also important to use SSL whenever possible.
I hope this is helpful.
I am using application.cfc and fusebox framework. Any help is appreciated.
It sounds like you have a persistent scope in memory with an error in it. Have you tried stopping and strating your ColdFusion service?
I have restarted the CF services & ISS, but no luck. It is behaving in the same in IE. I am using coldfusion mx 7, do you think its because of MX 7 version.