CFID CFTOKEN Problem

Report · Dec 04, 2007

Hello. Thanks in advance for any help.

I have a serious problem that I have been unable to debug probably because of my poor understanding of the subject.

I have an application with session and client variables.

Some people are sharing CFID's and CFTOKENs which is resulting in a real security problem

What I have found is that despite clearing the client storage database, the session variables, and resetting cookies, the CFID and CFTOKEN persist.

I created a page with the following code to highlight the problem:

<cfoutput>

cftoken: #cftoken# 
session.cftoken: #session.CFToken# 
client.cftoken: #client.cftoken# 
cookie.cftoken: #client.cftoken# 
</cfoutput>

<cfcookie name="Cftoken" expires="now"><cfcookie name="cfid" expires="now">
<cflock name="myappsessionlogout" type="exclusive" timeout="5">
<cfloop collection="#Session#" item="All_Vars">
<cfset StructDelete(Session, All_Vars)>
</cfloop>

</cflock>
<cfset client.cftoken = 0>
<cfoutput>
cftoken: #cftoken# 

client.cftoken: #client.cftoken# 
cookie.cftoken: #client.cftoken# 
</cfoutput>

First, I output the client, session, and cookie values for CFTOKEN.

I then delete/expire them and then I output them again.

The resulting page is something like this:

cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
session.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
client.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cookie.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cftoken:
client.cftoken: 0
cookie.cftoken: 0

If I refresh the page, however, the same exact output occurs. meaning htat somewhere the CFID and CFTOKEN variables are persisting. The issue is that some people have very short values for cftoken and so they are being shared. I need to reset their values so that they include the UUID.

Can someone tell me how to force a user to get a new cookie, client and session or provide some insight as to what may be happening?

Report · Dec 04, 2007

Technote on How to write CFID and CFTOKEN as per-session cookies

Report · Dec 04, 2007

Thanks for the reply. The issue is that I want clientmanagement and I don't necessarily want per-session cookies. I do however, want to be sure that any person who has a CFID or CFTOKEN that does not contain a UUID to reset their CFID and CFTOKEN. how can I force the reset for a specific user? Once they are reset they will get a new cftoken that persists, but it will be long enough to prevent sharing of variables.

Essentially What I don't understand is how is the cfid and cftoken currently persisting when I've expired the cookie, reset the session variables and cleared the client database? It seems that the cookie isn't really expiring.

Report · Dec 04, 2007

I think the Technote still applies to your case, especially the following excerpt and the fact that it is likely happening in Application.cfm:

<CFCOOKIE NAME="CFID" VALUE="#CFID#" EXPIRES="NOW">
<CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#" EXPIRES="NOW">


<CFAPPLICATION NAME="myCFApp" CLIENTMANAGEMENT="YES" SETCLIENTCOOKIES="NO">

<CFCOOKIE NAME="CFID" VALUE="#CLIENT.CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#CLIENT.CFTOKEN#">

Report · Dec 05, 2007

I did what was suggested and the cookie on my machines still are set to expire in 37 years. Is there really no way to force the expiration of a cookie that already exists ona client's machine??

Thanks for the help thus far.

Report · Dec 05, 2007

I did what was suggested and the cookie on my machines still are set to expire in 37 years. Is there really no way to force the expiration of a cookie that already exists ona client's machine??

Thanks for the help thus far.

Report · Dec 05, 2007

Thanks for the help! I think I figured it out. Somehow the domain of cookies being set was incorrect so I was unable to delete them. I had to explicitly set the domain on

<CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#" EXPIRES="NOW" domain=".domain.com">

Adobe Community

CFID CFTOKEN Problem