Solved

How To Secure Cookies CFID and CFTOKEN?

Posted on 2007-12-06
12
1,901 Views
Last Modified: 2013-12-24
I have a web site running on an MX7 server with IIS.  It is an SSL only site and going to the site url forwards you to SSL mode.  The site is being security tested by some firm in Japan and the only thing that they say is a security risk is that my cookies are not secure.  They say to set the secure flag when creating cookies.  The cookies that they describe are CFID and CFTOKEN which I believe are created automatically within the application framework.  Anybody have any hints on how to make these secure?
0
Comment
Question by:EricHoma
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 18

Accepted Solution

by:
Plucka earned 500 total points
ID: 20424900
I believe that cookies are secure when used under SSL automatically.
0
 

Author Comment

by:EricHoma
ID: 20424962
For some reason they are flaggin it.  I wonder if there is any way to test the cookie or look at it on my local machine to see if it is secure.  I would suspect that it might be encrypted.  Let's see if anyone else has a comment on this. Thanks!
0
 
LVL 18

Expert Comment

by:Plucka
ID: 20424983
But the thing is, the cookies are only CFID and CFTOKEN they hold no data and are only a reference to a variable set on the server. So I don't see how there is a security issue.

The <CFCOOKIE has the secure setting, which works when putting data in via SSL.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 52

Expert Comment

by:_agx_
ID: 20425143
>  I wonder if there is any way to test the cookie or look at it on my local machine to see if it is secure.

You can test the cookies in Firefox - Tools > Options > Show Cookies.  Check the "Send For" type. Is it Encrypted connections only or Any type of connection
0
 
LVL 52

Expert Comment

by:_agx_
ID: 20425147
> So I don't see how there is a security issue.

Someone could sniff your CFID and CFTOKEN and use it to hijack your session.  
0
 

Author Comment

by:EricHoma
ID: 20433102
I also believe that there is no security risk.  The problem is that the security team of a very large Japanese electronics company is running a test with some sort of software that is flagging the cookies as not being secure.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 20433126
I strongly suggest you read up on session hijacking.  If the application is not well structured, it can often be a trivial matter to hijack someone else's session. This means you now have access to _all_ of that person's session information.  Imagine if it contained credit card information?
0
 

Author Closing Comment

by:EricHoma
ID: 31413310
Thanks for your comments.  It seems that I was creating the session using the application.cfm file before I was forwarding to SSL mode.  I must forward to SSL mode and then create the session.
0
 

Expert Comment

by:TFMX
ID: 22222692
I noticed that the "Accepted Solution" for this question suggests that the CFID and CFTOKEN cookies are automatically set to secure when SSL is used.  We are getting the same vulnerability notification from McAffe Secure.  When I tested my website through Firefox as suggested by aqx, indeed the cookies was marked as not secure.

I have 2 questions:
1) Has anybody found a valid solution for this problem?
2) How do I request that the "Approve Solution" be disapproved since it is incorrect?
0
 

Expert Comment

by:TFMX
ID: 22222896
You can reset the CFID and CFTOKEN with the cfcookie tag and set the secure attribute to "YES".  I would prefer to find a solution that is handled by the  ColdFusion Application Service automatically, but this is a valid work around.
<cfif IsDefined("Cookie.cfID") AND IsDefined("Cookie.cfToken")>
	<cfset Variables.cfID_local = Cookie.cfID>
	<cfset Variables.cfToken_local = Cookie.cfToken>
	<cfcookie name="cfID" value="#Variables.cfID_local#" secure="Yes">
	<cfcookie name="cfToken" value="#Variables.cfToken_local#" secure="Yes">
</cfif>

Open in new window

0
 

Expert Comment

by:zeph001
ID: 24293876
This is what I use to keep my cookies secure.
0
 

Expert Comment

by:working1008
ID: 24308988
You need to set the ALL of your cookies (not just CFID and CFTOKEN) to be secure...

If you are using the APPLICATION.CFC template, then you should put some code in the onSessionStart AND in the onRequestStart

Basically just just call <cfcookie> tag for each cookie and make sure to set the SECURE attribute to yes.

To secure the JSESSIONID (which is important), make sure to explicitly set it with a <cfcookie> tag and set the value to be SESSION.SESSIONID (since the JSESSIONID value is the same as SESSION.SESSIONID).

I did these things to get my code to pass the IBM Rational AppScan
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WSUS Client Issues 52 1,972
connection string question 2 72
Need to Configure Debug Diag 2.2 for IIS 7.5 to capture dump files 1 70
http to https 3 69
In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question