We help IT Professionals succeed at work.

CF Sessions for login?

overcolor
overcolor asked
on
I'm currently using cookies to track my logged in users, but now I want to start using the cffileupload feature and I just found out that you can't pass cookies with it. Which is find because it seems like I should of been using sessions instead of cookies for security anyways (I think). But I have know idea how to set sessions up for login and how to pass them to other pages. Can some please guide me in the right direction or tell me how to do this.
Comment
Watch Question

Really all you need to do is

<cfset session.whatever = "a value">

this could be

session.userid
session.accesslevel
session.firstname

or all of the above you can see what's in session scope with a <cfdump var="#session#">

session state is maintained automatically by cf

For best security, use jsessionid http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23472564.html


Author

Commented:
Sidfish

How do I call on the session?  I know with cookies they are sitting on the users computer. How will Coldfusion know what session's goes with who? I read that link but Im still lost on how to call on the session. But if im being dumb here just let me know and ill stop my self and try to rethink. ;)

"How will Coldfusion know what session's goes with who" - That's it's job :) You don't need to worry about managing session other than to set values.

When a user first hits a cfm page CF set a value pair

JSESSIONID=f03010e3214b683b398057647a68471d713d


this is the unique identifier used to identify that browser amongst all visitors to the site.

When you set a session value like session.userid cf basically looks up the userid value you set that's associated with the jsessionid

not to confuse the issue but the jsessionid or the cfid/cftoken values are maintained by a session cookie stored on the user machine. However that is the only value that is stored locally. All others just use that value to look up agaisnt set values on the server.

Author

Commented:
So just to make sure I understand, sessions are just like cookies but stored on the machine. CF set the unique JSESSIONID for me (that i don't need to worry about), are these more secure then cookies?
and as for "call on the session" it's as I posted you just need to make sure session management is enabled

in application.cfc

<cfset this.sessionManagement = true>


or in application.cfm

<cfapplication  name="myApp"
               sessionmanagement="yes">




Most Valuable Expert 2015
Commented:
(no points ... small note)

If you're using cf 9.0.0, you need to pass the #session.urltoken# in the URL.
<cffileupload url="yourPage.cfm?#urlEncodedFormat(session.urltoken)#" ...>

cf didn't start passing session info automatically until CF9.0.1. See comments and notes here

In ColdFusion 9.0.1, the fileupload control passes the session information implicitly to the target page if session management is turned on either in Application.cfc or Application.cfm.
CF sets session id's as a cookie (or 2 depending whether you use CFtoken/Cfide which is default or jsessionid which you enable in admin as per the link i posted)

sessions operate similarly to cookies but aren't just like...specifically they don't get stored client side. A good way to think of this is that sessions are single use - I visit a bank, login in a carry my login creds through the banking process. Once my browser is closed or I've logged out there's no information remaining. Cookies are for saving things that persist over several visits like shopping cart favourites or other tracking information. They live on the client machine which makes them more vulnerable.
(that's a valid -FOR- points note agx - still on 8 here and that is kind of key to the question)

Author

Commented:
Agx. I using 9.0.1, thank you

Ok I think this should be my last set of questions

Why does CF as for a "name" when setting
<cfapplication  name="myApp"
               sessionmanagement="yes">
Does it need to be called on?

If I have many users login at the same time, can some hack in and pull all the users using that application name?

I got the session to work, Im just asking those last questions to make sure Im not setting myself up to others problems
the Name is CF's way of keeping multiple applications separate (in memory) on a server that has multiple application.cfm or cfc's


here's a good explanation why and a good practice if you have multiple sites (or are on a shared host)

http://www.bennadel.com/blog/1845-Making-Sure-Your-ColdFusion-Applications-Are-Uniquely-Named.htm
Most Valuable Expert 2015
Commented:
> can some hack in and pull all the users using that application name?

Technically, yes. The application scope is deliberately shared so it's certainly possible to access it from outside the application itself.

http://cookbooks.adobe.com/post_Java_Objects_Integration-17891.html
http://jochem.vandieten.net/tag/application-scope/
Most Valuable Expert 2015

Commented:
Hit return too soon ...

> Technically, yes.

BUT .. All depends on the server's security though. Most shared hosts enable sandboxing to limit access to objects like that.

Author

Commented:
Thank you guys...Big HELP
that's precisely why it's a good idea to obscure your name with a hash() (and really is a security essential on a shared host).

However, on your own server, this isn't really a risk. The application scope can't be "hacked" by a user, you need to have access to cfm files to do it.

The scenario where it's an issue is this

I know that ABCStore is hosted by someCheapHost.com
I set up an account on the host I start passing names to application.cf*
I guess that ABCStore applicationName is "ABCStore" and set mine to that as well
I run <cfdump var="#application#">
Voila ABCStore application variables. These may or may not be sensitive depending on how you write your application but even if they don't contact specific sensitive info like a session variable would, they could be a starting point ofr further hacks. ie: application.dsn is vaery common and knowing your datasource name is quite a juicy piece of intel.



Most Valuable Expert 2015

Commented:
> The scenario where it's an issue is this

Yeah that's the more common avenue of attack.  However if a host doesn't lock down access to java controls, through CF or jsp, it's possible to get it even without the name.  But admittedly that kind of  sophisticated attack is less common.

> I know that ABCStore is hosted by someCheapHost.com

Wait .. didn't they recently go out of the CF business ? (Thank goodness) ;-)

Ya and the admin API (especially the undocumented features) is a wonderful and scary thing.

I probably should have used a different example name since ABCStore is an actual place on damn near every street corner in Hawaii. More than Starbucks & McD's combined.

Author

Commented:
Funny. But I own my own server and don't host any sites that aren't created by me.. So please tell me I am good..or is there something in CF admin I need to look at
It's just good to know the risks (and know whether they are an issue or not.

If you control the server, you're good to go.

Most Valuable Expert 2015

Commented:
Exactly.  Agreed.

Author

Commented:
Thank you again