Security, CFID & CFTOKEN

[KN]

What is the best way to avoid someone from being able to sniff the ID and Token and use that to log on as another user? We've always passed that in the url because it was important to manage state across servers. Is there a better way to handle this and what other alternatives could be incorporated to prevent someone from piggy backing as such?

[johnab]

what about using a db table storing the CFID, CFTOKEN along with the IP address - that way for any logon session you know the IP address the requests should be coming from. Once a user logs out you clear the Db entry. If anyone tries to hijack a logged in session then you'd have duplicate CFID and CFTOKEN and a different IP so you can send the hijacker to an error page

just throwing ideas around...

John B.
Internet Architect
ERA Technology Ltd, UK.

[Sarge]

The only problem with tracking IPs is users coming through Proxy servers (the classic AOL issue) -- they will all have the same IP address, so effectively you're back to square 1. Now are cookies an issue? If not, you can use per-session cookies for CFID & CFTOKEN values -- see URL #1. You can also enable UUID CFTOKEN values to strengthen the default SessionID (CFID&CFTOKEN) -- see URL #2. In CFMX you can enable J2EE sessions which creates the JSESSIONID as a per session cookie.

Sarge
Senior Product Support Engineer
Macromedia Inc.
ssar...@macromedia.com

Please post responses directly to the forums so that everyone can benefit.

Referring URLs
http://www.macromedia.com/support/coldfusion/ts/documents/tn17915.htm
http://www.macromedia.com/support/coldfusion/ts/documents/tn18133.htm
http://www.macromedia.com/support/coldfusion/ts/documents/tn17255.htm