So I was not sure whether to put this post into my Session Management discussion (6.x series) or into my Cookie discussion (12.x series), so I am doing both. This week I want to talk about getting a new session after logging into to a site/application.
So why would we want to do this?I want to start this discussion off with a story. I like stories. many times they illustrate the points I am trying to make quite clearly.
Our story begins with the hottest new social networking web site on the planet. It is called ColdFusionCrushes.com. It is a place where high school and college-aged kids can get together and discuss the hottest ColdFusion developers in the business.
Right now, on ColdFusionCrushes.com there is a BIG debate going on between the presidents of the Ben Nadel fan club and the Todd Sharp fan club about which developer is the hottest. Needless to say, it is getting ugly.
Now clearly, both of these fan club presidents are clever girls. And one of them figures out that sessions are not being reset after login. She knows that everyday at 3:00PM (after her .NET class, since her school has not heard the news) that the other club president goes to the commons computer lab to write a blog entry and comment on the forums. She always sits at the same computer, logs in, and spends 2 hours gushing about hot developers.
So one day, at 2:50PM our clever girl who figured out the session thing, goes to the computer lab, sits at the victim's machine, and browses to ColdFusionCrushes.com. She does not log in, she just browses to the main page (so that onSessionStart() fires), then she looks at the cookies for ColdFusionCrushes.com on that machine. She sees that the site is using ColdFusion session management, so there is a CFID and a CFToken. She writes down the value of each and then closes the cookie window, yet leaves the browser itself open.
At 3:00PM our victim president sits down at that machine, browses to ColdFusionCrushes.com and logs in. She then begins her daily adoration rituals completely oblivious to what is going on in the forums in her name. Soon she receives an e-mail from the fan club vice-president accusing her of being a "hateful traitor". Later, when she figures out why, she sees that someone had hijacked her account and was using it to post nasty comments about her CF crush in the forums.
How did that happen?
Well, if you have not figured it out already. Our little hacker princess, after writing down the CFID and CFToken out of the victims browser, went over to another computer lab machine and browsed to the ColdFusionCrushes.com website. After our victim sat down and logged into her machine, our hacker opened up her cookies for ColdFusionCrushes.com and typed in the values she had written down from the victim machine. She saved and refreshed. Poof! She's logged in as the victim. She was then able to go and unleash hell on the forums.
Since the session tokens did not change, our hacker was able to easily hijack the victim's session simply by knowing the proper session token values.
The countermeasure for this is to:
- Start a new session with a new session token
- Transfer any important information from the old session to the new one
- Where possible, expire the old session
- Set new cookies into the browser with the new session token values
Now this is not the easiest thing in the world to do. It is easier than rebuilding a carburetor, but harder than learning to milk a goat. So I am going to have to do some more research before I discuss how I am going to handle this. There are a few things I need to iron out.
- How to handle this with ColdFusion session management vs. J2EE session management
- Determine if there are different ways to handle J2EE session management if deployed on different application servers (Jrun, JBoss, etc)
- Figure out how to move the session info from one session to the next
- Figure out the best way to invalidate the old session(if possible) and to write the new cookies.
- Figure out if things are any different with Railo or OpenBD
If anyone has done any of this before, I would love to hear how you handled it. Especially with J2EE Session Management. Doing some of this on the default Jrun that comes with CF developer edition has been a pain. Jrun seems to take great issue with me trying to rewrite session token cookies. I am creating a new Virtual Machine right now to try deploying to JBoss to see if it work any differently.