CFLogin Security Considerations
If you use the
cflogin tag to manage authentication you should consider setting
loginstorage="session" in your
Application.cfm file for better security.
"cookie", when you use this storage a cookie is created called
app_name is the name of your ColdFusion application. The contents of this cookie will be a base64 encoded string of the following:
So the actual value of the above would be:
Now as you know Base64 is not encryption, it is an encoding that is reversible. That means that the password that you give to the
cfloginuser tag is sent in plain text on every request that isn't over SSL.
Now many people actually set the password attribute to
cflogin to be an empty string, or the same value for every user. I have seen some security professionals even recommend this (the reasoning being that you don't want the actual password in memory).
Let me explain why it is a bad practice to set the same
cfloginuser password for every user. Suppose you have the following code:
<cfloginuser name="#cflogin.name#" password="" roles="administrator">
Now suppose I want to login as the user
admin, and your application name is
app_name, I simply need to set the following cookie in my browser:
When you have
loginstorage="session" the cookie you just set will be ignored (tested on CF8). A session variable called
CFAUTHORIZATION_app_name is used instead, and there should be no way to manipulate the value remotely.
So if you want to continue using
loginstorage="cookie" you should use the following guidelines:
- Make sure the password value of
cfloginuser, is not the actual password
- Make sure the password value is different for each user and not predictable. A good practice may be to use a salted hash of the actual password.
Considerations for Clustered Servers
If you are on a clustered environment you need to use sticky sessions, or session replication in order for
loginstorage="session" to work without requiring the user to re authenticate.
- Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
- J2EE Session Cookies on ColdFusion / JRun - February 8, 2010
- New HackMyCF Features - October 24, 2013
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
- Apache Security Patches on CentOS / RHEL
- FuseGuard 2.4 Released
- New HackMyCF Features
- Blocking .svn and .git Directories on Apache or IIS
- CFDocs site now Open Source
- Getting Size of Heap and Non Heap Memory in CFML
- Firefox Aurora now Supports Content Security Policy 1.0
- Writing Secure CFML cfObjective 2013 Slides