When a user doesn't allow cookies, the CFID and CFTOKEN are
submitted using URLs. If the URL is being published (including the
CFID and CFTOKEN) via a hyperlink on a page or by sending it with
an email for instance and someone uses that link to go to the page
he will be able to take over the identity of a previous user if
that is within the allowed session timeout (which I set at 10
minutes to lower the risk).
This will allow the other user to use the session of the
previous user to perform malicious actions using the previous
user's credentials (which might contain passwords, credit card
details or other sensitive data). So we're having a real (CSRF)
security issue here.
I read a lot of articles on how to prevent this, but I
haven't found a full-proof method yet.
What I created now is custom code that runs on every page to
prevent ColdFusion taking over the session. It still happens, but
when it does the session will be deleted immediately and then start
a fresh one by:
- Deleting all parameters containing session information from
- Destroying all data currently in the session.
- Relocating to the same URL with the remaining URL
parameters, if any.
Coldfusion will not find a session anymore (it's destroyed)
and will create a new one.
This solved the problem I described above, but to me this
still doesn't seem like a full-proof solution, so I was wondering
if anyone might have a better solution to this problem. I searched
all over the Internet, but could not find a better solution to this
problem than the one I created myselve.
So if anyone knows a better, more secure method I'd love to