6 Replies Latest reply on Dec 5, 2007 10:36 AM by Amosl

    CFID CFTOKEN Problem

    Amosl
      Hello. Thanks in advance for any help.

      I have a serious problem that I have been unable to debug probably because of my poor understanding of the subject.

      I have an application with session and client variables.

      Some people are sharing CFID's and CFTOKENs which is resulting in a real security problem


      What I have found is that despite clearing the client storage database, the session variables, and resetting cookies, the CFID and CFTOKEN persist.


      I created a page with the following code to highlight the problem:


      <cfoutput>

      cftoken: #cftoken#<br />
      session.cftoken: #session.CFToken#<br />
      client.cftoken: #client.cftoken#<br />
      cookie.cftoken: #client.cftoken#<br />
      </cfoutput>


      <cfcookie name="Cftoken" expires="now"><cfcookie name="cfid" expires="now">
      <cflock name="myappsessionlogout" type="exclusive" timeout="5">
      <cfloop collection="#Session#" item="All_Vars">
      <cfset StructDelete(Session, All_Vars)>
      </cfloop>

      </cflock>
      <cfset client.cftoken = 0>
      <cfoutput>
      cftoken: #cftoken#<br />
      <!---session.cftoken: #session.CFToken#<br />--->
      client.cftoken: #client.cftoken#<br />
      cookie.cftoken: #client.cftoken#<br />
      </cfoutput>




      First, I output the client, session, and cookie values for CFTOKEN.

      I then delete/expire them and then I output them again.

      The resulting page is something like this:


      cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
      session.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
      client.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
      cookie.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
      cftoken:
      client.cftoken: 0
      cookie.cftoken: 0


      If I refresh the page, however, the same exact output occurs. meaning htat somewhere the CFID and CFTOKEN variables are persisting. The issue is that some people have very short values for cftoken and so they are being shared. I need to reset their values so that they include the UUID.

      Can someone tell me how to force a user to get a new cookie, client and session or provide some insight as to what may be happening?

        • 2. CFID CFTOKEN Problem
          Amosl Level 1
          Thanks for the reply. The issue is that I want clientmanagement and I don't necessarily want per-session cookies. I do however, want to be sure that any person who has a CFID or CFTOKEN that does not contain a UUID to reset their CFID and CFTOKEN. how can I force the reset for a specific user? Once they are reset they will get a new cftoken that persists, but it will be long enough to prevent sharing of variables.


          Essentially What I don't understand is how is the cfid and cftoken currently persisting when I've expired the cookie, reset the session variables and cleared the client database? It seems that the cookie isn't really expiring.


          • 3. Re: CFID CFTOKEN Problem
            BKBK Adobe Community Professional & MVP
            I think the Technote still applies to your case, especially the following excerpt and the fact that it is likely happening in Application.cfm:

            <CFCOOKIE NAME="CFID" VALUE="#CFID#" EXPIRES="NOW">
            <CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#" EXPIRES="NOW">

            <!--- With Client Management Enabled --->
            <CFAPPLICATION NAME="myCFApp" CLIENTMANAGEMENT="YES" SETCLIENTCOOKIES="NO">
            <!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
            <CFCOOKIE NAME="CFID" VALUE="#CLIENT.CFID#">
            <CFCOOKIE NAME="CFTOKEN" VALUE="#CLIENT.CFTOKEN#">

            • 4. Re: CFID CFTOKEN Problem
              Amosl Level 1
              I did what was suggested and the cookie on my machines still are set to expire in 37 years. Is there really no way to force the expiration of a cookie that already exists ona client's machine??

              Thanks for the help thus far.




              • 5. Re: CFID CFTOKEN Problem
                Amosl Level 1
                I did what was suggested and the cookie on my machines still are set to expire in 37 years. Is there really no way to force the expiration of a cookie that already exists ona client's machine??

                Thanks for the help thus far.




                • 6. Re: CFID CFTOKEN Problem
                  Amosl Level 1
                  Thanks for the help! I think I figured it out. Somehow the domain of cookies being set was incorrect so I was unable to delete them. I had to explicitly set the domain on

                  <CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#" EXPIRES="NOW" domain=".domain.com">