Session Cookies

Posted At : August 21, 2007 11:02 PM | Posted By : Gary Gilbert
Related Categories: Coldfusion

We all know Coldfusion tracks your sessions by writing cookie.cfid cookie.token but did you know that the cookie by default expires in the year 2037.

This may seem of little consequence but it does raise some security issues depending on the sensitivity of the application you are working on.

It means that each time you visit the site again Coldfusion reuses the same cfid and cftoken. This has the potential to provide a means for session hijacking, which of course is not a good thing!

Thankfully there is a relatively easy way to turn your persistent cookies into session cookies.


<cfif isDefined('cookie.cfid') and isDefined ('cookie.cftoken')>
    <cfset localcfid = cookie.cfid>
    <cfset localtoken = cookie.cftoken>
    <cfcookie name="cfid" value="#localcfid#">
    <cfcookie name="cftoken" value="#localtoken#">
</cfif>

This effectively means that when you close the browser your session expires and therefore the cookie also expires.

Potential session hijacking issue solved.

Happy Coding...

PS: I realize a lot of people are probably already doing this but I felt it deserved a mention.

Comments (0) | del.icio.us | Digg It! | Linking Blogs | 1843 Views

Related Blog Entries

0 Comments to "Session Cookies"- Add Yours

There are no comments for this entry.

[Add Comment]

Powered By Railo

Subscribe

Subscribe via RSS
Follow garyrgilbert on Twitter Follow me on Twitter
Or, Receive daily updates via email.

Tags

adobe air ajax apple cf community cfml coldfusion examples ext flash flex google javascript jquery max2007 max2008 misc open source programming railo software technology ui

Recent Entries

No recent entries.

Blogroll

An Architect's View
CFSilence
Rey Bango
TalkingTree

Wish List

My Amazon.com Wish List