security question regarding session variables

Report · Dec 15, 2009

Is it possible for a user to have access to modify the session variables that are being stored on their computer? Like lets say i stored a session variable on someones computer that was <cfset session.number = 100>, would they have the ability to edit that session variable to be a different number?

Thanks,

Ben

Report · Dec 15, 2009

Umm, no.

Because the session variable is NOT stored on the client system. It is stored on the server.

What is sent to the client is a token that is sent with every request that lets the server know what requests belong with what session data.

By default this token is a set of cookies called CFID and CFTOKEN but one can alternately configure ColdFusion to use a different cookie called JSESSIONID. This latter has the benefits of automatically being a memory cookie that is discarded when the browser closes and being common to JRUN JSP sessions if one ever needs to coordinate with such a system.

There are known risks that if somebody can guess any existing and current tokens available on the server they can hijack that session. This is somewhat more risky if one chooses to use get (aka URL) variables for the tokens rather then cookies. But few bother with this option these days.

Report · Dec 15, 2009

Ahhh thank you very much!

Report · Dec 16, 2009

ColdFusion does provide options for launching pretty darned good "automatic defenses" against many forms of attacks, including the so-called "cross-side scripting" attack (where a session-variable is purloined). You would do well to carefully read the docs chapters on this and, if you are deploying a public-facing application, follow them quite religiously.

Adobe Community

security question regarding session variables

1 Correct answer