7 Replies Latest reply on Sep 15, 2014 3:45 AM by Abdul L Koyappayil

    real use of CFID and CFTOKEN

    Abdul L Koyappayil Level 1

      Hi All,

       

      Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

       

      I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use. So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??. These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

       

      Any thoughts on this.

        • 1. Re: real use of CFID and CFTOKEN
          BKBK Adobe Community Professional & MVP

          You raise a number of questions.

          Abdul L Koyappayil wrote:

           

          Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.

          Not wrong, but with one addition. The new session has a CFID of 101. That is relevant.

           

          I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use.

          Even if you don't use CFID and CFToken explicitly in your code, Coldfusion will use the cookies in the background to communicate with browsers. I am assuming, of course, that session management is enabled.

           

          So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??.

          Communication via HTTP(S) is stateless. This means that servers are so designed that they have no obligation to remember or to store any details about the client's request.

           

          One implication of this is that, by default, every new request to the ColdFusion server will start a new session. With merely 10 000 clients, each making on average 100 requests, ColdFusion will generate a million unrelated sessions, which it will temporarily hold in memory. Clearly, one session per request is inefficient. Hence the need for session management.

           

          Session management is a mechanism for uniquely identifying and grouping requests that belong together, for example, the requests from a particular client at a particular time. This effectively creates a stateful protocol on top of the HTTP(S) communication.

           

          ColdFusion manages session typically by means of cookies. Cookies uniquely identify the client, and keep track of his requests, as he navigates from one request to the next. The real use of CFID and CFToken is to maintain a user's session in this way. ( If cookies are disabled, then you must pass the CFID and CFToken values in the URL to maintain session)

           

          These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.

          As Steve Sommers said in your previous thread, you can safely ignore the warning from the PCI scanner. The reason why the scanner flags ColdFusion's session cookies as vulnerable is that it detects CFID as being sequential, hence predictable. Rightly, too. (Recall my earlier remark about 101.) However, the scanner is unaware that CFID is just one part of a double-act, and that both CFID and CFToken are obligatory in the definition of a ColdFusion session.

           

          CFToken happens to be random and unique enough to be secure, and so the combination of CFID and CFToken is secure. You could therefore use them, in place of the JsessionID cookie, to maintain session. That answers your immediate question.

           

          Nevertheless, a complication might arise if you use client variables as well. This excerpt from the Adobe documentation on 'Managing the client state' says it all:

           

          Providing Session security

           

          ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the CFToken and CFID values are used to identify a client over a period of time, they are normally saved as cookies on the user’s browser. These cookies persist until the client’s browser deletes them, which can be a considerable length of time. As a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each session.

           

          A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

           

          You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

          • 2. Re: real use of CFID and CFTOKEN
            Carl Von Stetten Adobe Community Professional & MVP

            BKBK captured the issues very well.  One further note - you can increase the security of the session cookies by using the httponly feature introduced in CF9.  This Adove Devnet article explains how it works and how to implement it.  Basically, using httponly cookies prevents JavaScript access to the cookies, protecting against some forms of cross-site scripting (XSS) attacks.j

             

            -Carl V.

            • 3. Re: real use of CFID and CFTOKEN
              Abdul L Koyappayil Level 1

              Thanks for your detailed explanations. I understood.

              BKBK wrote:

               

              You raise a number of questions.

               

              BK, the forumn is used for asking questions and to discuss those questions among many people. Right?? .......

              • 4. Re: real use of CFID and CFTOKEN
                BKBK Adobe Community Professional & MVP

                Abdul L Koyappayil wrote:

                 

                BK, the forumn is used for asking questions and to discuss those questions among many people. Right?? .......

                Right. "You raise a number of questions" is simply a bridge to the answers I wished to contribute. I intended nothing else.

                • 6. Re: real use of CFID and CFTOKEN
                  BKBK Adobe Community Professional & MVP

                  Abdul L Koyappayil wrote:

                   

                   

                   

                  Should you have further questions, please do bring them to the forum. A forum without questions is a bazaar without merchandise.

                  • 7. Re: real use of CFID and CFTOKEN
                    Abdul L Koyappayil Level 1

                    I have posted a separate question -How to secure CFGLOBALS cookie ... can you pls look into it. Will be much helpful