Wish List

My Amazon.com Wish List

Tags

adobe air ajax cf community cfml coldfusion examples ext flex javascript max2007 misc programming technology ui

Recent Entries

One Bourbon, One Scotch and One Beer
Getting Closures: The Groovy Way
Adobe Photoshop Elements 7 Announced
Getting Started with Flex 3
Adobe Munich Sponsors Girl Geek Dinner

Currently Reading


Search

RSS


Subscribe

Enter your email address to subscribe to this blog.

Blogroll

An Architect's View
Ben Forta
CFSilence
Coldfusion Jedi
Rey Bango
TalkingTree



Session Cookies

Posted At : August 21, 2007 2:02 PM | Posted By : Gary Gilbert
Related Categories: Coldfusion

We all know Coldfusion tracks your sessions by writing cookie.cfid cookie.token but did you know that the cookie by default expires in the year 2037.

This may seem of little consequence but it does raise some security issues depending on the sensitivity of the application you are working on.

It means that each time you visit the site again Coldfusion reuses the same cfid and cftoken. This has the potential to provide a means for session hijacking, which of course is not a good thing!

Thankfully there is a relatively easy way to turn your persistent cookies into session cookies.

<cfif isDefined('cookie.cfid') and isDefined ('cookie.cftoken')>
   <cfset localcfid = cookie.cfid>
   <cfset localtoken = cookie.cftoken>
   <cfcookie name="cfid" value="#localcfid#">
   <cfcookie name="cftoken" value="#localtoken#">
</cfif>

This effectively means that when you close the browser your session expires and therefore the cookie also expires.

Potential session hijacking issue solved.

Happy Coding...

PS: I realize a lot of people are probably already doing this but I felt it deserved a mention.

Comments (0) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 785 Views

Related Blog Entries

Comments

There are no comments for this entry.

[Add Comment]