1 Reply Latest reply on Jul 24, 2007 1:23 AM by jdeline

    Identity Theft (CSRF)

    ACHPostma
      I have the following problem:

      When a user doesn't allow cookies, the CFID and CFTOKEN are submitted using URLs. If the URL is being published (including the CFID and CFTOKEN) via a hyperlink on a page or by sending it with an email for instance and someone uses that link to go to the page he will be able to take over the identity of a previous user if that is within the allowed session timeout (which I set at 10 minutes to lower the risk).

      This will allow the other user to use the session of the previous user to perform malicious actions using the previous user's credentials (which might contain passwords, credit card details or other sensitive data). So we're having a real (CSRF) security issue here.

      I read a lot of articles on how to prevent this, but I haven't found a full-proof method yet.

      What I created now is custom code that runs on every page to prevent ColdFusion taking over the session. It still happens, but when it does the session will be deleted immediately and then start a fresh one by:

      - Deleting all parameters containing session information from the URL.
      - Destroying all data currently in the session.
      - Relocating to the same URL with the remaining URL parameters, if any.

      Coldfusion will not find a session anymore (it's destroyed) and will create a new one.

      This solved the problem I described above, but to me this still doesn't seem like a full-proof solution, so I was wondering if anyone might have a better solution to this problem. I searched all over the Internet, but could not find a better solution to this problem than the one I created myselve.

      So if anyone knows a better, more secure method I'd love to hear it.