CFLogin Security Considerations
By Pete Freitag
If you use the
cflogin tag to manage authentication you should consider setting
loginstorage="session" in your
Application.cfm file for better security.
"cookie", when you use this storage a cookie is created called
app_name is the name of your ColdFusion application. The contents of this cookie will be a base64 encoded string of the following:
So the actual value of the above would be:
Now as you know Base64 is not encryption, it is an encoding that is reversible. That means that the password that you give to the
cfloginuser tag is sent in plain text on every request that isn't over SSL.
Now many people actually set the password attribute to
cflogin to be an empty string, or the same value for every user. I have seen some security professionals even recommend this (the reasoning being that you don't want the actual password in memory).
Let me explain why it is a bad practice to set the same
cfloginuser password for every user. Suppose you have the following code:
<cfloginuser name="#cflogin.name#" password="" roles="administrator">
Now suppose I want to login as the user
admin, and your application name is
app_name, I simply need to set the following cookie in my browser:
When you have
loginstorage="session" the cookie you just set will be ignored (tested on CF8). A session variable called
CFAUTHORIZATION_app_name is used instead, and there should be no way to manipulate the value remotely.
So if you want to continue using
loginstorage="cookie" you should use the following guidelines:
- Make sure the password value of
cfloginuser, is not the actual password
- Make sure the password value is different for each user and not predictable. A good practice may be to use a salted hash of the actual password.
Considerations for Clustered Servers
If you are on a clustered environment you need to use sticky sessions, or session replication in order for
loginstorage="session" to work without requiring the user to re authenticate.
CFLogin Security Considerations was first published on December 10, 2009.
If you like reading about coldfusion, security, cflogin, cfloginuser, cookies, or sessions then you might also like:
- Client Variable Cookie CFGLOBALS Includes Session Ids
- J2EE Session Cookies on ColdFusion / JRun
- Speaking at ColdFusion Summit Online Next Week
- OpenSSL and ColdFusion / Lucee / Tomcat
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.