Securing CFID, CFToken and JSessionID cookies

A recent presentation given at DEFCON 16 exposed a seemingly unsuspected vulnerability, common in most SSL-Secured websites. Many large and prominent sites such as GMail, Facebook, Yahoo Mail and others are exposed to this vulnerability simply because they haven't secured their cookies. The presenter dubbed the exploit, HTTPS Cookie Highjacking and loosely described it as,

"It turns out an adversary able to position themselves in between you and a website is able to inject arbitrary http-based content elements for domains that do not set the 'Encrypted Sessions Only' property of their cookies, and thus cause your client to transmit these cookies via clear text, intercept them, and impersonate you."

While it took me a few minutes to really understand what he said (btw I'm still digesting), it got me thinking about how Coldfusion uses cookies for tracking sessions and whether or not they were vulnerable to the same exploit. It turns out that they are. Session cookies produced by Coldfusion to maintain sessions are not 'secure' by default. To validate this, I created a small test harness that uses JavaScript to display cookies. JavaScript will not have the ability to read secure cookies when it's run under normal HTTP as in the case of this site and this example.


Update: Ignore the cookies that start with the underscores, I'm guessing my hosting company sets those because I'm not doing it.

First click on the [Show Cookies] button, this will list out those cookies that are accessible to Javascript from this domain. You will notice that CF produced cookies for cfid and cftoken. By default these are not secure.

Next click on the [Secure the Cookies] button, doing so will make a request to rewrite the cookies, setting the 'secure' attribute to true.

When you hit the [Show Cookies] button again, JavaScript is only able to display the unsecured cookies. If your running Firefox, you can open up the Show Cookies and verify that the are indeed still there, but they secured\encrypted. (Go to 'Tools -> Options -> Privacy Tab -> [Show Cookies], pay close attention to the 'Send For:' attribute when you highlight the cookies. When secured it will say "For Encrypted connections only", when they are un-secure it will read "Any Connection type".)

Before mentioning a fix to make your cookies secure, I want to first mention that CF will reset the users session if you make CFID, CFToken and/or JSessionID cookies secure when running under HTTP, only use this technique if your site is 100% SSL.

Here is the code that I used for this example and subsequently what you can use to re-write your cookies to make them secure.:
<br /> <!--- Toggle Session cookies ---><br /> <cfparam name="url.s" type="string" default="0"><br /> <br /> <!--- ReWrite Session Cookies - use this in your app to rewrite session cookies ---><br /> <cfloop list="cfid,cftoken,jsessionid" index="cookiename"><br />     <cfif structKeyExists( cookie, cookiename )><br />         <br />           <cfcookie name="#cookiename#" <br />                   value="#cookie[cookiename]#" <br />                   secure="#yesNoFormat( val(url.s) )#"><br />     <br />     </cfif><br /> </cfloop><br /> <br /> <!--- set an unsecure cookie to show the user our state ---><br /> <cfcookie name="cookies_are_secure" value="#yesNoFormat( val(url.s) )#" secure="false"><br /> <br /> <!--- Tell the browser that we have nothing to return (using poor mans ajax for the example)  ---><br /> <cfheader statuscode="204" statustext="No Content" /><br /> <br />
Here is the client side (JavaScript) code that I used for the example:
<br /> function showCookies(){<br />     var str = !document.cookie.length ? "No Cookies that I can see." : "";<br />     var cookies = document.cookie.split(";");<br />     for( c in cookies ){<br />         var p = cookies[c].split("=");<br />         str +=  "<b>"+ p[0] +"</b> = "+ decodeURIComponent(p[1]) +"<br>";<br />     }<br />     document.getElementById('box').innerHTML = str;<br /> }<br />  <br /> function togglesecure( issecure ){<br />     document.location.href = "securecookiesexample.cfm?s="+ issecure;<br /> }<br />

• Posted by Spencer Scher on Feb 22, 2009 at 6:07 AM
  
  Hi there,
  
  Has anyone plumbed this into a website (I assume in application.cfm?) to cure failing a PCI compliance test due to...
  
  "The remote web server generates predictable session IDs. Description : The remote web server generates a session ID for each connection. A session ID is typically used to keep track of the actions of a user while he visits a web site. The remote server generates non-random session IDs"
  
  I tried and failed, though I must be honest I am a bit of a novice! As I have a busy e-commerce site I didn't want to risk breaking application.cfm so put up a test page containing the code above but got an error...
  
  "Error Occurred While Processing Request
  Invalid CFML construct found on line 19 at column 27.
  
  ColdFusion was looking at the following text:
  =
  
  The CFML compiler was processing:
  
  an expression beginning with "structkeyexists", on line 19, column 11.This message is usually caused by a problem in the expressions structure.
  a cfif tag beginning on line 19, column 6.
  a cfif tag beginning on line 19, column 6."
  
  Any help gratefully received - this PCI compliance is a nightmare!
  
  Thanks,
  Spencer
  
  
  
  
• Posted by Justin on Feb 23, 2009 at 3:50 PM
  
  Hi Spencer,
  
  Regarding the hit on your compliance test, I assume that the application scan was referring to the value of CFToken. There is an option in the CF Administrator under the "Server Settings -> Settings" (if you are using CF8) section that lets you use UUIDs for CFToken. We failed on the same thing prior to enabling the feature. If I remember correctly, the default values for CFToken are typically an 8 digit random number.
  
  In regards to the error that your receiving, based on the error message it looks like you might be missing a pound sign or closing bracket somewhere. Can you email me the code that you are trying to run? jalpino AT gmail DOT com
  
  When I re-run the posted code, I don't run into any issues.
  
  
• Posted by masterorb on Apr 07, 2009 at 1:43 AM
  
  Hi Jalpino,
  
  I found this post through 12robots. Seems that you and Jason Dean were talking about how you need to use cfheader to set HTTPOnly and cfcookie to set secure=true . Jason said he was trying to work things with JSESSIONID so it all worked, I think I have a solution, I posted it on his page:
  
  http://www.12robots.com/index.cfm/2009/1/8/mmmmMMmmmmmmm-Cookies-part-2--Security-Series-121
  
  
  I just wanted to thank you for your help and if you see any holes in that code I would love to know!
  
  
  
  
• Posted by Justin on Apr 07, 2009 at 3:11 PM
  
  @masterorb - thanks for the kind feed back, I'll head over to 12robots and take a look.
  
  
• Posted by Anthony on Sep 30, 2009 at 3:30 PM
  
  You can enable all CF session cookies secure by default by editing the jrun-web.xml file in the /CFROOT/wwwroot/WEB-INF directory. Add the following xml node to the <session-cookie> to look like this:
  
  <session-config>
  <persistence-config>
  <active>false</active>
  </persistence-config>
  <cookie-config>
  <cookie-secure>true</cookie-secure>
  </cookie-config>
  </session-config>
  
  ALL session cookies for from the server will now be set to secure. Note that your app must run entirely under SSL for sessions to work like this. Quick codeless way to get it done if everything runs under SSL.
  
  
  
  
• Posted by Justin on Sep 30, 2009 at 5:26 PM
  
  @Anthony - thanks for tip. I think that editing the config at a server level is a much better approach for securing cookies vs. the programmatic approach I had mentioned. Thanks again!
  
  
• Posted by Sebastiaan on Jan 11, 2010 at 3:03 PM
  
  Has anyone doen this in Railo? Using UUID for CFID and CFTOKEN? And where can you set this?
  
  

 

Leave Feedback

Name

Email

Email will not be displayed

Website

( Optional )

Feedback

Post your feedback, HTML will not be rendered, only plain text.

Security

Answer the math problem below.

=

Subscribe

Receive emails when others submit comments