This post is a day later than I had hoped. Oh well, what can you do.
In my last post we started talking about cookie security. There is a LOT to cookie security and we only touched the surface. We are going to continue today by talking about session token cookies, SSL, and the SECURE flag.
Session Token CookiesSession Token Cookies are used to store the browser's session token so that when the browser contacts the web server that it knows which session belongs to that browser. Because of the stateless nature of the World Wide Web, this is necessary to persist data between web requests.
To read more about session management and session tokens check out some of my previous posts.
Is important to know, that your users' sessions tokens are HIGHLY sensitive information. If session tokens become compromised, then session hijacking is easy for anyone that obtains a valid token. This is why it is important to make sure our session token cookies are secure.
SSL and Cookie SecurityOne of the problems with cookies is that everything is done "in the clear". Cookies are simple text and numeric values and these values are sent in clear text which can be easily intercepted, unless SSL is used.
When a secure connection is made between a client and a server, then all the information sent between those two machines is encrypted, including the cookie values. This, of course, is great for security, since the encrypted session token cannot be intercepted and used for a session hijacking.
Let me just give you a quick example to try to scare you. You have a client with a very simple request. She wants a blog. You say "No Problem!", because, of course, thanks to our awesome community, there are several blog options from which to choose. You choose one and set it up. You think to yourself, "Does this site need SSL?", and decide it does not. It's just a simple blog, the only users, besides the administrator that will be accessing it, are all anonymous and so you don't need to worry about having those users' sessions hijacked.
But wait. What about your administrator? Your blogger? Isn't she a user? What happens when she sits down at the local coffee shop with her laptop and hits that wireless access point called "Free Public Wifi" and goes to log into her blogging site. Well, because she is not connected via SSL, everyone one of her page requests will be broadcasting her highly sensitive session token cookie "in the clear". If some malicious little punk was sitting there, monitoring network traffic, and saw that, he could easily grab that cookie, duplicate it on his machine, and browse to the blogging site himself. He would be instantly logged on as your client and could vandalize to his heart's content.
A few hours later you would get a call from an angry client wanting to know how the site you set up for her got hacked. Your reputation takes a hit and you get to clean it up for free.
The moral of this story is a simple one. It is also one that nobody wants to hear. But I don't care what you want to hear, I just want to give it to you straight.
If you are using session management and not using SSL, then your site is not secure. Period.
The SECURE flagCookies have a pretty cool feature that can help protect you from yourself and from your clients. It is the SECURE flag. When a cookie has the SECURE flag set to "true", then the cookie will not be sent to the server on anything except an encrypted connection. Pretty cool, huh?
So how do we set the SECURE Flag?Great question. Unfortunately, this is one of those areas where ColdFusion drops the ball a bit. There are several ways to protect your session token cookies that ColdFusion does not allow you to do without jumping through a few hoops. This is one of them. There is no way (to my knowledge) to tell ColdFusion to write session tokens with the SECURE flag set to "true". So we need to write the cookies ourselves.
The first thing we need to do is tell ColdFusion NOT to write the session cookies. We do this in our Application.cfc (or Application.cfm if you are kickin' it oldSkool).
In the pseudo-constructor area of Application.cfc (which is the area right below the <cfcomponent> tag and right before the first function) put:
<cfset this.setClientCookies = false />
In Application.cfm add the setClientCookies attribute to the <cfapplication> tag and set it to "false".
This will tell ColdFusion not to write the session token cookies.
Next we need to write the cookies. So in Application.cfc in your onSessionStart() method, or in Application.cfm where ever you handle your session variables, add:
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;secure=true;" />
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;secure=true;" />
I have tried this with jsessionid and it does not seem to work. If anyone has an experience with making the jsessionid token cookie secure, I would love to learn about it.