Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 311

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
To use the
URLSessionFormat
tag posts a request to another page and sends the client identification, if necessary:
<cfform method="Post" action="#URLSessionFormat("MyActionPage.cfm")#>
If you use the same page URL in multiple
improvement and simplify your code if you assign the formatted page URL to a variable, for example:
<cfset myEncodedURL=URLSessionFormat(MyActionPage.cfm)>
<cfform method="Post" action="#myEncodedURL#">
Client identifiers and security
The following client identifier issues can have security implications:
• Ensuring the uniqueness and complexity of the
• Limiting the availability of Session identifiers
The next sections discuss these issues.
Ensuring CFToken uniqueness and security
By default, ColdFusion uses an eight-digit random number in the
a unique, secure identifier for users under most circumstances. (In ColdFusion, the method for generating this number
uses a cryptographic-strength random number generator that is seeded only when the server starts.)
However, in the ColdFusion Administrator, you can enable the Settings page to produce a more complex
identifier. If you enable the Use UUID for cftoken option, ColdFusion creates the
digit random hexadecimal number to a ColdFusion UUID. The resulting
following:
3ee6c307a7278c7b-5278BEA6-1030-C351-3E33390F2EAD02B9
Providing Session security
ColdFusion uses the same client identifiers for the Client scope and the standard Session scope. Because the
and values are used to identify a client over a period of time, they are normally saved as cookies on the user's
CFID
browser. These cookies persist until the client's browser deletes them, which can be a considerable length of time. As
a result, hackers could have more access to these variables than if ColdFusion used different user identifiers for each
session.
A hacker who has the user's
the user's session using the stolen
You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion
Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for
each session, and does not use either the
Security-related changes
The following security-related specifications apply when you upgrade to ColdFusion 9 Upgrade 1:
• CFID, CFTOKEN, and jsessionid are marked
compromised on Cross Site Scripting (XSS) attack.
• Set the following system property for the session cookies to be httpOnly:
Dcoldfusion.sessioncookie.httponly=true
function, enclose the request URL in the function. For example, the following
URLSessionFormat
CFToken
and cookies could gain access to user data by accessing a web page during
CFToken CFID
and cookies. While this scenario is unlikely, it is theoretically possible.
CFToken CFID
or the
CFToken
httpOnly
Last updated 1/20/2012
functions, you can gain a small performance
identifier
identifier. This
CFToken
CFToken
identifier looks similar to the
CFToken
cookie value.
CFID
. This reduces the chance of session information being
306
cfform
format provides
CFToken
CFToken
value by prepending a 16-
CFToken