Tuesday, January 19, 2010

Session Fixation issue in ColdFusion

Most web applications that use cookies to persist sessions are prone to session fixation security flaw.
The Open Web Application Security Project (OWASP) defines session fixation as:

Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Session fixation vulnerabilities occur when:
  1. A web application authenticates a user without first invalidating the existing session ID, thereby continuing to use the session ID already associated with the user.
  2. An attacker is able to force a known session ID on a user so that, once the user authenticates, the attacker has access to the authenticated session. 

To resolve this in ColdFusion, you could take the foll. steps:

index.cfm posts login credentials to checkLogin.cfm. I expire the exisitng jsessionid cookie on this page. And then make a cfhttp call to verify.cfm; I also pass the login crediantials to verify.cfm. Verify.cfm authenticates the user and sets session variables for the user. Once checkLogin.cfm gets the return back;
I parse out the jsessionid from the cookie header and set a new jsessionid cookie on checkLogin.cfm page.

We can also wrap the logic in onSessionStart().

Also see this post by Jason Dean on the same issue.

If anyone has had any other approach to this, I would love to hear from you.