On IE 11/Edge session cookies not secure and doesn't work.

[Kolbenschlag, Clemens]

Hi @all

 

I have a big session problem with IE (11&Edge) and Lucee 4.5.3.018, where I need your help urgently.

 

Following situation.  If I set in Application.cfc :

 

THIS.setClientCookies = false;

 

onSessionStart {

      <cfcookie name="cfid"        domain="#sCookieDomain#" httpOnly="#arguments.httponly#" path="#arguments.path#" secure="#arguments.secure#" value="#session.cfid#">

      <cfcookie name="cftoken"     domain="#sCookieDomain#" httpOnly="#arguments.httponly#" path="#arguments.path#" secure="#arguments.secure#" value="#session.cftoken#">

}

 

Do not look for cfscript syntax, my example should only show you where I set it. I always use TAG Syntax.

 

Now, I would believe, that cookies are set until session gets a timeout. Right? Not right?

 

But on next page .cfm page the cookies are missed and session data is away.

 

With Firefox it works perfectly.

 

That is a major bug in IE, isn’t it?

 

As workaround I set THIS.setClientCookies=true and then session will stay alive. BUT it is not set to httponly, path and secure. NO SECURITY - So no way for our customers! They will check it.

 

So you see my problem. Any ideas? How get I secure cfid & cftoken in IE Browser 11/Edge?

 

Sers

Clemens

 

 

 

 

 

 

 

 

[Denard Springle]

Hmmm... typically you'd want to set cfid/cftoken in the onRequestStart() method, not onSessionStart()... so I'd start by moving to onRequestStart() and seeing if that solves the problem for you.

Second to that, script syntax for cookies is pretty straightforward:

getPageContext().getResponse().addHeader("Set-Cookie", "cfid=#session.cfid#;path=/;domain=.#CGI.HTTP_HOST#;HTTPOnly;Secure");

Third, and this is more my preference from years of getting burned by cfid/cftoken/cflogin, etc. logic... you should roll your own session management so you have greater control over sessions and provide a less common attack vector for hackers. I have an example of this using fw/1 on GitHub (https://github.com/ddspringle/framework-one-secure-auth). If you're not using fw/1 then you can still glean the basics of the process by looking at the security.cfc controller under /admin (https://github.com/ddspringle/framework-one-secure-auth/blob/master/admin/controllers/security.cfc) which could be placed inside onRequestStart() in Application.cfc instead of using fw/1 to run it for you. 

Anyway, try moving your logic to onRequestStart() and test again. I'm, frankly, a bit surprised that Lucee is forgiving enough to allow TAG syntax inside of script... but then I gave up using tags in all but views so long ago it never occurred to me to even try it ;)

Hope that helps!

-- Denny

[Kolbenschlag, Clemens]

Hi, thanks for answer.  

 

With following syntax, which is yours in tag syntax, it works. For the moment … Tomorrow I will do same checks, cross-checks, re-checks and double-checks   ;-)

 

<cfheader name="Set-Cookie" value="CFID=#sCFID#;path=#sPath#;#sHTTPOnly#;#sSecure#">

<cfheader name="Set-Cookie" value="CFTOKEN=#sCFTOKEN#;path=#sPath#;#sHTTPOnly#;#sSecure#">

 

And no, I do not use tag-syntax in  a cfscript block. It was just easer to write in the mail J

 

I am not sure, or better see the benefit, to use it in onRequestStart(), when session and cookie is produced onSessionStart().

 

But I was surprised of the different COOKIE displays in IE (F12) and Firefox (F12 with Firebug). May there is the fault of my understanding.

 

Sers

Clemens

--
Win a ticket to dev.objective from Lucee via Twitter, see http://bit.ly/1UbTMWj for details, good luck and see you there...
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/937cf172-c1a2-4dab-9091-b7f2874bf568%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Julian Halliwell]

Hi Denny

You can't use tags per se in script (rightly so), but this will work
in Lucee and is IMO even simpler:

cookie name="cfid" value=session.cfid domain=cgi.http_host path="/"
secure="true" httpOnly="true";

Cheers
Julian.

On 8 June 2016 at 15:30, Denard Springle <denard....@gmail.com> wrote:
> Second to that, script syntax for cookies is pretty straightforward:
>
> getPageContext().getResponse().addHeader("Set-Cookie",
> "cfid=#session.cfid#;path=/;domain=.#CGI.HTTP_HOST#;HTTPOnly;Secure");

>[...]. I'm,

[Sean Daniels]

Clemens, as was mentioned on the Slack channel, have you ruled out the case sensitivity in IE's cookies as the root cause? I noticed in your first email you were setting the cookies with cfcookie and using "cfid" and "cftoken" with no luck, but in your latest example you are setting the cookies as "CFID" and "CFTOKEN".

I guess it's good you got it working, but I'm still suspicious that maybe your IE had some uppercase cookies set and this was what was causing problems with your cfcookie version. Maybe for kicks try:

<cfcookie name="CFID" domain="#sCookieDomain#" httpOnly="#arguments.httponly#" path="#arguments.path#" secure="#arguments.secure#" value="#session.cfid#">
<cfcookie name="CFTOKEN" domain="#sCookieDomain#" httpOnly="#arguments.httponly#" path="#arguments.path#" secure="#arguments.secure#"value="#session.cftoken#">

> To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/2382D393ED37BF408BBEBCFDF3C5FBE31305706C%40Media-Ex01.media-muc.de.

[Pete Freitag]

On Wed, Jun 8, 2016 at 4:55 AM, Kolbenschlag, Clemens <kolben...@media-solutions.de> wrote:

 

As workaround I set THIS.setClientCookies=true and then session will stay alive. BUT it is not set to httponly, path and secure. NO SECURITY - So no way for our customers! They will check it.

FYI ACF10+ has settings that lets you toggle httponly and secure flags for session cookies in Application.cfc, so you would just do:

this.sessionCookie.httpOnly = true;

this.sessionCookie.secure = true;

There is a ticket open to add these settings to lucee: https://luceeserver.atlassian.net/browse/LDEV-809 please vote for it.

--

Pete Freitag
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner

[Denard Springle]

I am not sure, or better see the benefit, to use it in onRequestStart(), when session and cookie is produced onSessionStart().

I honestly can't remember why I started putting it in onRequestStart() instead of onSessionStart()... likely just something I've carried with me from the old days when I ran into a browser/engine issue that I've never really given any more thought to. It should actually work in onSessionStart(), so it might have been the capitalization as Sean notes. I'd give it a try again in onSessionStart() with capitalization - and if it doesn't work, fall back to onRequestStart() instead. Meanwhile, I'm going to have to play with setting those again to see if I'm just mistaken... a quick search shows people recommending putting it in both places in various blog posts, etc. so... hmm. Do let me know if it works in onSessionStart() for ya ;)

-- Denny

[Denard Springle]

Voted :)

[Denard Springle]

Yeah... I ran into an issue with that syntax somewhere along the way... sadly I can't remember what it was now, or which engine it was, but that started me down the path of using the pageContext() bits and I've just stuck with it :)

That's two things I need to recheck I suppose :)

Thanks for bringing it up though :)

[Kolbenschlag, Clemens]

I've tried it with uppercase and lowercase. Doesn't matter. With TAG syntax it will always wrote in uppercases. But setClientCookies=true set lowercase cookies. That’s true and may a part of the problem.



-----Ursprüngliche Nachricht-----
Von: lu...@googlegroups.com [mailto:lu...@googlegroups.com] Im Auftrag von Sean Daniels
Gesendet: Mittwoch, 8. Juni 2016 20:00
An: lu...@googlegroups.com
Betreff: Re: [Lucee] On IE 11/Edge session cookies not secure and doesn't work.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/3C933DFA-66F0-4D8D-84D1-1CBEE79E2F8B%40gmail.com.

[Kolbenschlag, Clemens]

I’ve voted too… it would be a help and we could use the build in syntax, again.

 

Von: lu...@googlegroups.com [mailto:lu...@googlegroups.com] Im Auftrag von Denard Springle
Gesendet: Donnerstag, 9. Juni 2016 03:38
An: Lucee
Cc: pe...@foundeo.com
Betreff: Re: [Lucee] On IE 11/Edge session cookies not secure and doesn't work.

 

Voted :)

--

Win a ticket to dev.objective from Lucee via Twitter, see http://bit.ly/1UbTMWj for details, good luck and see you there...
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/76a9b811-9378-4fb7-a81c-6b7623217f62%40googlegroups.com.

[Alastair Young]

Hi Clemens,

Did you get to the bottom of this issue? I appear to have the same problem and it's driving me nuts. IE (11&Edge) and Lucee 4.5.3.018 on IIS.

The annoying factor is that this is only happening on a "new" site on the same single server (no load balancing etc). The code base for session management is exactly the same. One thing I've noticed is that on a "proper browser" (Chrome / Firefox) when a session is established I see cftoken cfid, jsessionid and sessionid cookies being sent to the browser. On IE/Edge only cftoken and cfid get created and they don't appear to be sufficient to maintain the session connection.

Any ideas??

Thanks

[Alastair Young]

Just incase any other poor sap stumbles on this issue. Turn out that and underscore ("_") isn't valid in any part of the host name. Just to be helpfully consistent IE & Edge will render it, but won't set the cookie, and doesn't complain about it either.

https://support.microsoft.com/en-us/kb/316112

cheers