Wish List
Tags
adobe air ajax cf community cfml coldfusion examples ext flex javascript max2007 misc programming technology ui
Recent Entries
One Bourbon, One Scotch and One Beer
Getting Closures: The Groovy Way
Adobe Photoshop Elements 7 Announced
Getting Started with Flex 3
Adobe Munich Sponsors Girl Geek Dinner
Currently Reading
Search
RSS
Subscribe
Blogroll
An Architect's View
Ben Forta
CFSilence
Coldfusion Jedi
Rey Bango
TalkingTree
Session Cookies
We all know Coldfusion tracks your sessions by writing cookie.cfid cookie.token but did you know that the cookie by default expires in the year 2037.
This may seem of little consequence but it does raise some security issues depending on the sensitivity of the application you are working on.
It means that each time you visit the site again Coldfusion reuses the same cfid and cftoken. This has the potential to provide a means for session hijacking, which of course is not a good thing!
Thankfully there is a relatively easy way to turn your persistent cookies into session cookies.
<cfset localcfid = cookie.cfid>
<cfset localtoken = cookie.cftoken>
<cfcookie name="cfid" value="#localcfid#">
<cfcookie name="cftoken" value="#localtoken#">
</cfif>
This effectively means that when you close the browser your session expires and therefore the cookie also expires.
Potential session hijacking issue solved.
Happy Coding...
PS: I realize a lot of people are probably already doing this but I felt it deserved a mention.


There are no comments for this entry.
[Add Comment]