Session Loss and Session Fixation in ColdFusion
I often find myself explaining how the session fixation security hotfix (APSB11-04) might cause session loss under certain circumstances, so I figured it was time for a blog entry explaining it.
Ok, first what is session fixation?
A session fixation vulnerability exists when an attacker can direct the victim to use a specific session identifier. So for example, suppose I say hey follow this link:
Now when you visit this link, if CF allows you to use that new session identifier to maintain valid session, you have a session fixation problem. The attacker can now mirror the session id on his computer and also have access to your session.
How does ColdFusion session fixation protection work?
ColdFusion now checks to see if the CFID/CFTOKEN passed in the url, cookie, form, etc are valid for the current ColdFusion application. If the CFIDE/CFTOKEN passed do not correspond to a valid session in the CF application, then a new set of CFID/CFTOKEN is generated and set as cookies.
So how does this lead to session loss?
The only circumstances I'm aware of which causes session loss is due to having multiple ColdFusion applications that reside on the same domain, with different application names.
So assume I have a domain with two ColdFusion applications
/oranges/ each folder has its own Application.cfc or Application.cfm with a different application name (eg this.name="apples" and this.name="oranges").
Now consider the following condition:
- Request /apples/
- Successfully logs in under /apples/
- Makes a request under /oranges/
- Makes a request back to /apples/ (they appear to be logged out)
And here's what happens:
- User is given a set of cookies CFID=1 CFTOKEN=1
- Session variable is set to keep user authenticated with session CFID=1 CFTOKEN=1
- CF see's CFID=1 CFTOKEN=1 and says that is NOT a valid session for the Application "oranges", here's a new set of session ids: CFID=2 CFTOKEN=2
- CF see's CFID=2 CFTOKEN=2 and says that is NOT a valid session for the Application "apples" here's a new set of session ids: CFID=3 CFTOKEN=3, you are still technically logged in under CFID=1 and CFTOKEN=1 but your cookies no longer correspond to that session, so for all intensive purposes you are logged out of /apples/
So how do you prevent the session loss?
There are a few ways you can do this:
- Set a path on the CFID and CFTOKEN cookies so the browser sends the correct cookie to the correct domain, you can do this in
OnSessionStartif you specify
this.setclientcookies=false. You can see an example of how to set the session cookies in my blog entry on HttpOnly session cookies.
- You can set both application names to be equivalent, that is change this.name="apples" to this.name="fruit" and this.name="oranges" to this.name="fruit" this will cause the two applications to also share application and session scopes, so that may not be a good idea if your applications clash on naming.
- You can disable the session fixation patch in ColdFusion by adding the JVM argument
-Dcoldfusion.session.protectfixation=falseto your server. This is a good way to find out if the session fixation patch is indeed causing your problem, or if it is something else. I recently helped a client with session loss, and their problem actually ended up being on the load balancer so it is handy to test using this before making code changes. But keep in mind that when you do this you are giving up some security.
How can I further protect myself from session fixation
This patch doesn't fully protect you from session fixation attacks, you really should rotate session id's after a successful login, and terminate the session on logout. You can do this with two new functions on ColdFusion 10,
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- SessionRotate solution for JEE Sessions - March 28, 2014
- New HackMyCF Features - October 24, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
- Understanding HashDos and postParameterLimit - August 1, 2012
- Minor JavaDocs.org Update
- nginx Directive rewrite is not terminated
- Using Mozilla's Certificate Authority List for Java SSL
- SessionRotate solution for JEE Sessions
- False TemplateNotFoundException ColdFusion 9
- ColdFusion defaults avoid flawed Random Number Generator
- Apache Security Patches on CentOS / RHEL
- FuseGuard 2.4 Released