cftoken is always zero?

[M F]

Porting an app over from ACF to Lucee 5, and noticed that cftoken is always "0" (Zero).  Is this normal/expected behavior?  The combination of cfid and cftoken would normally make a session harder to hijack, wouldn't it?

[Andrew Dixon]

cftoken is always 0 in Lucee as it was in Railo before it. Not sure about making it harder, as both as stored in a cookie and/or passed in the URL. If the connection is not over SSL then an attacker can potentially see both in clear text then they have both, so it doesn't really make anything harder. 

I think in ACF that the CFID was (maybe still is) a sequential number so the cftoken was there to make it harder (maybe) to guess but in Lucee this is not the case, the ID is much more random.

Kind regards,

Andrew

about.me - mso - Lucee Association Member

On 22 December 2016 at 22:16, M F <advan...@gmail.com> wrote:

Porting an app over from ACF to Lucee 5, and noticed that cftoken is always "0" (Zero).  Is this normal/expected behavior?  The combination of cfid and cftoken would normally make a session harder to hijack, wouldn't it?

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/adbb8af2-c4ba-4fda-abbc-fa46c2fb2ab9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Denard Springle]

To elaborate on what Andrew said...

In ACF yes it (still) does use the combination of cfid and cftoken for sessions, however as Andrew noted the fact that these are available in cookies (or if programmed poorly, the URL), SSL or not, doesn't make how ACF handles session cookies any more secure. Frankly, cfid could be removed from both engines as far as I'm concerned - it adds nothing to security and is only present in Lucee for ACF compatibility. That said, I believe Lucee still uses cftoken for session generation, it's just always zero.

Now, how to make sessions more secure is another matter entirely, and one recommendation is to rotate your sessions on every request (thus the cftid cookie value changes on every request. See: http://cfdocs.org/sessionrotate), use CSRF functions on forms (with a random key and forcing a new token. See: http://cfdocs.org/csrfgeneratetoken and http://cfdocs.org/csrfverifytoken), etc., etc.

More robust session management can be done using your own cookies in a hybrid way with cfid - your cookie maintains the authorization state while cfid maintain the session scope (and the authorization state uses the session scope. See: http://cfdocs.org/security - scroll down to 'Code Security' and follow the links). 

Just a couple observations/pointers about sessions and session management in CFML. HTH!

-- Denny

[Denard Springle]

Edit: Frankly, cftoken could be removed from both engines [...]

Sorry, I haven't finished my first cup of coffee yet :P

[M F]

Thanks very much Andrew.  I didn't jump from ACF until Lucee, so I never got to experience Railo, and yep, i get it why cftoken really doesn't matter here.

On Thursday, December 22, 2016 at 5:32:45 PM UTC-5, Andrew Dixon wrote:

cftoken is always 0 in Lucee as it was in Railo before it. Not sure about making it harder, as both as stored in a cookie and/or passed in the URL. If the connection is not over SSL then an attacker can potentially see both in clear text then they have both, so it doesn't really make anything harder. 

I think in ACF that the CFID was (maybe still is) a sequential number so the cftoken was there to make it harder (maybe) to guess but in Lucee this is not the case, the ID is much more random.

Kind regards,

Andrew

about.me - mso - Lucee Association Member

On 22 December 2016 at 22:16, M F <advan...@gmail.com> wrote:

Porting an app over from ACF to Lucee 5, and noticed that cftoken is always "0" (Zero).  Is this normal/expected behavior?  The combination of cfid and cftoken would normally make a session harder to hijack, wouldn't it?

--
You received this message because you are subscribed to the Google Groups "Lucee" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.