Skip navigation
wcx08
wcx08
Currently Being Moderated

ColdFusion Session Fixation Bug

Jul 3, 2012 1:11 PM

Tags: #problem #9 #session #coldfusion #9.0.1 #fixation #hotfixes

Hello all,

 

I'm current running ColdFusion 9.0.1 on a Windows Server 2008 R2 with IIS7, with the Cumulative Hotfix 2 installed.  For the past couple of months we've been running in to major problems with users losing their sessions on our web applications.   This problem only started occurring once I installed the hotfixes...Here is a quick timeline of events:

 

- Running ColdFusion 9.0 with no hotfixes for many years...Everything working great.

- Installed hotfix APSB12-06 (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html).  This caused problems with sessions.

- Uninstalled ColdFusion altogether, reinstalled ColdFusion 9.0.  Sessions were back to normal and working great, as they had been for years.

- Upgraded to CF 9.0.1.  Session problems started again.

- Cumultive hotfix 2 says that it fixes the session fixation bug for 9.0.1.  Installed this successfully, but sessions are still not working correctly.

 

 

It appears that the only users that this effects are IE users.  No particular version, but it seems to be mainly 7, 8, and 9 that are having trouble (may just be the most common IE versions that visit our sites...).  Haven't changed anything with the code...These are web apps that have worked for almost ten years now.  I've been having the system send me debugging information that dumps the session and cookie scopes to my email whenever a user logs in or logs out.  It definitely shows signs of session loss, and new session ID and cftoken IDs are being assigned every time a user navigates to a new page.

 

I can always revert back to my original CF 9.0 installation to fix this, but then my server has a huge security hole in it that the hotfixes were supposed to solve.  It seems I'm screwed here...Is anyone else having this problem?  Is there anything I can do?  Can anyone see any reason why I should continue to use Adobe's products given that their hotfixes aren't fixing any of my problems, but instead are making them worse?

 

Any information would be greatly apprecated...Thank you.

1925 Views   12 Replies   Latest reply: itisdesign, Jul 5, 2012 12:52 PM
 
Replies
  • itisdesign
    Currently Being Moderated
    1. itisdesign,
    Jul 3, 2012 11:23 PM   in reply to wcx08
    Report

    wcx08 wrote:

     

    - Running ColdFusion 9.0 with no hotfixes for many years...Everything working great.

    - Installed hotfix APSB12-06 (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html).  This caused problems with sessions.

    [...]

    new session ID and cftoken IDs are being assigned every time a user navigates to a new page.

     

    Hi wcx08,

     

    Is the code manually setting the CFID/CFTOKEN cookies, as described here: http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-b ehaviour

     

    Meaning, is "Use J2EE Session Variables" disabled, and is setclientcookies=false?

     

    Thanks,

    -Aaron

     
    |
    Mark as:
  • wcx08
    Currently Being Moderated
    2. wcx08,
    Jul 4, 2012 11:06 AM   in reply to itisdesign
    Report

    I do have "use J2EE session variables" disabled, however I'm not specifying the "setclientcookies=false" attribute.  I've come across that article before, but I don't understand why code that has worked for over ten years now is suddenly broken by a ColdFusion security update.  Why should my application manually set the cookie variables when it always did it automatically in the past?

     

    I'm going to try to work around this problem before trying to revert to an old installation.

     
    |
    Mark as:
  • 12Robots
    Currently Being Moderated
    3. 12Robots,
    Jul 4, 2012 3:13 PM   in reply to wcx08
    Report

    If you have JEE sessions enabled then you do NOT need to set cookie variables manually. Setting them manually, as tht article states, is only for CF session tokens because they were not set as session cookies.

     

    Also, as I understand it, the session fixation fixes they made in the security update only affected CF session tokens. JEE tokens never had the problem that they were trying to fix.

     

    I also noticed that the link you provided above to the hotfix points to hotfix APSB12-06 which, as far as I can tell, has nothing to do with the session fixation bug.

     

    jason

     
    |
    Mark as:
  • itisdesign
    Currently Being Moderated
    4. itisdesign,
    Jul 4, 2012 5:33 PM   in reply to wcx08
    Report

    wcx08 wrote:

     


    Upgraded to CF 9.0.1.

    Hi wcx08,

     

    Did you try CF 9.0.2?  It's a full installer w/ all CF 9.0.1 hotfixes, just w/o Verity.

     

    Thanks,

    -Aaron

     
    |
    Mark as:
  • Shilpi Khariwal
    Currently Being Moderated
    5. Shilpi Khariwal,
    Jul 4, 2012 11:06 PM   in reply to wcx08
    Report

    Hi

     

    You can add -Dcoldfusion.session.protectfixation=false in jvm arguments.

     

    Shilpi

    ColdFusion Server Team

     
    |
    Mark as:
  • Adam Cameron.
    Currently Being Moderated
    6. Adam Cameron.,
    Jul 5, 2012 12:28 AM   in reply to Shilpi Khariwal
    Report

    What does that setting do and what are the broader ramifications (if any) of setting it, Shilpi?

     

    It seems like a curious way to "fix" an issue an individual is having on their CF install?  What I mean is what is it about WCX08's install that they should have this setting set, that my install (also CF 9.0.1, IIS7, etc but not experiencing the problem) doesn't have?

     

    --

    Adam

     
    |
    Mark as:
  • Shilpi Khariwal
    Currently Being Moderated
    7. Shilpi Khariwal,
    Jul 5, 2012 1:00 AM   in reply to Adam Cameron.
    Report

    The JVM argument is a way to fix the problem than reinstalling the server without installing the security fixes.

     

    As long as it is concerned for the set up, i would need to see the code and need to know the complete set up environment in order to comment on that.

     
    |
    Mark as:
  • wcx08
    Currently Being Moderated
    8. wcx08,
    Jul 5, 2012 7:58 AM   in reply to Shilpi Khariwal
    Report

    Thank you guys for your replies...It's greatly appreciated.

     

    I did not want to install the CF 9.0.2 because I still use verity...Although in the near future I could probably do away with it.  But my understanding was that the CF 9.0.2 didn't include anything different than the Cumulative Hotfix 2, except that it got rid of verity in addition.

     

    Does adding that jvm argument make my applications/server susceptible to security holes? 

     

    Even when I try the test application as specified on the cfsimplicity site, I don't get the same results.  Every time I refresh the test page, it gives me a new session id, cfid, and cftoken, even when I've added the conditional check in my application.cfm, as specified in the article.

     

    So you think that turning on J2EE session variables will solve my problem?

     

    Thanks again!

     
    |
    Mark as:
  • itisdesign
    Currently Being Moderated
    9. itisdesign,
    Jul 5, 2012 12:09 PM   in reply to wcx08
    Report

    wcx08 wrote:

     

    Does adding that jvm argument make my applications/server susceptible to security holes?

    Hi wcx08,

     

    A description of -Dcoldfusion.session.protectfixation=false is here: http://helpx.adobe.com/coldfusion/kb/security-hotfix-coldfusion-8-8.ht ml

     

    -----------

    * A JVM property was added in case you want to completely switch off the fix for the Session Fixation issue ( Bug 86378) which prior to this security release changed Session behavior in some environments. Add the following JVM property -Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.

    -----------

     

    I searched for Bug 86378 in bugbase.adobe.com, but found 0 results.

     

    The short answer to your question would be Yes.  It would 'completely switch off the fix for the Session Fixation issue'.

     

    Thanks,

    -Aaron

     
    |
    Mark as:
  • itisdesign
    Currently Being Moderated
    10. itisdesign,
    Jul 5, 2012 12:11 PM   in reply to wcx08
    Report

    wcx08 wrote:

     

    So you think that turning on J2EE session variables will solve my problem?

     

    It's certainly worth a try..

     
    |
    Mark as:
  • wcx08
    Currently Being Moderated
    11. wcx08,
    Jul 5, 2012 12:34 PM   in reply to itisdesign
    Report

    I did not add the JVM argument, but I did turn on the J2EE session variables, and I think it may have fixed the problem.  This problem has been going on for about three or four months now, and I've only recently been able to recreate the problem on our own systems...It's always been other customers (mainly using IE) that were notifying us about it.

     

    Hopefully turning on the J2EE session variables fixed the problem...I suppose I'll find out in the coming week as customers let us know.

     

    Thank you guys for your help...You guys have been greatly helpful.

     
    |
    Mark as:
  • itisdesign
    Currently Being Moderated
    12. itisdesign,
    Jul 5, 2012 12:52 PM   in reply to wcx08
    Report

    wcx08 wrote:

     

    I did not add the JVM argument, but I did turn on the J2EE session variables

    Perfect.  And you're welcome.  I'll try to remember to follow-up in a week or so to see if you feel this issue is resolved.

     

    Thanks!,

    -Aaron

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points