3 Replies Latest reply on Dec 16, 2009 7:34 AM by TLC-IT

    security question regarding session variables

    bje98f Level 1

      Is it possible for a user to have access to modify the session variables that are being stored on their computer?  Like lets say i stored a session variable on someones computer that was <cfset session.number = 100>, would they have the ability to edit that session variable to be a different number?

       

      Thanks,

       

      Ben

        • 1. Re: security question regarding session variables
          ilssac Level 5

          Umm, no.

           

          Because the session variable is NOT stored on the client system.  It is stored on the server.

           

          What is sent to the client is a token that is sent with every request that lets the server know what requests belong with what session data.

           

          By default this token is a set of cookies called CFID and CFTOKEN but one can alternately configure ColdFusion to use a different cookie called JSESSIONID.  This latter has the benefits of automatically being a memory cookie that is discarded when the browser closes and being common to JRUN JSP sessions if one ever needs to coordinate with such a system.

           

          There are known risks that if somebody can guess any existing and current tokens available on the server they can hijack that session.  This is somewhat more risky if one chooses to use get (aka URL) variables for the tokens rather then cookies.  But few bother with this option these days.

          • 2. Re: security question regarding session variables
            bje98f Level 1

            Ahhh thank you very much!

            • 3. Re: security question regarding session variables
              TLC-IT Level 3

              ColdFusion does provide options for launching pretty darned good "automatic defenses" against many forms of attacks, including the so-called "cross-side scripting" attack (where a session-variable is purloined).  You would do well to carefully read the docs chapters on this and, if you are deploying a public-facing application, follow them quite religiously.