So why am I suddenly bringing this topic up again? Well I recently read (I cannot recall where, it was probably on the OWASP site) about a way that session tokens in URLs can be easily compromised. I am a little embarrassed that I never realized that this vulnerability existed before. It is pretty simple.
This is something I came across at work that I thought I would share, because at first, it had me scratching my head.
I posted on Friday about my experimental code for session token rotation and I got some great comments (thanks Peter and Brian). Brian stated in his comment that because I am using a <cflocation>, which is a 302 HTTP redirect, it could cause problems with legitimate deep-linking, plus, using <cflocation> feels like a hack. I agree with the latter. I was not happy with using <cflocation>, but it was all I could think to do at the time.
So I gave it some more thought this weekend and came up with a new way of doing it that uses <cfhttp> instead of a redirect. I am MUCH happier with this method for a couple of reasons.
This is a continuation of a topic that I have been blogging about and thinking about for a long time. Session management and cookie security are really interesting topics that I could yammer on about for hours. Go ahead, ask my wife.
I made a couple of errors in my previous post about setting the SECURE, PATH and HTTPOnly attributes of the JSESSIONID token cookie. The code has been updated and now works better than before. Please see the update here.
Wow, I have been working on this one for a while. I am almost embarrassed to admit that I have spent upwards of 9 hours learning how cookies work in ColdFusion and the JEE server (including another full hour since I started writing this post). A lot of testing and trying out different things has resulted in a lot of frustration, a little code, and (hopefully) a solution.
I have complained before that when using J2EE session management in ColdFusion, that the session token cookies are difficult to work with. When trying to do things like set a specific PATH, or set the cookie as SECURE or HTTPOnly, it can, many times, result it creating duplicate cookies. Well, I think I have finally come up with a method of setting the JSESSION token's PATH, SECURE, and HTTPOnly attributes without this duplication.
Wow. What a busy few weeks. But now that I have completed my cf.Objective() presentation, and given a practice presentation to the Twin Cities ColdFusion User Group, and I have caught up on things at work, I am finally back at my desk, jamming to some
Miley Cyrus Aly & AJ Metallica and pumping out code.
My current project is an Adobe AIR application that, on occasion, needs to talk to a remote server. I am using jQuery to make the requests to the remote server, though I could, just as easily use AIR's URLLoader.
So I wasn't sure if I was going to continue this series. I had been sick for a while and I am already done with my presentation (the reason for my research). But I've decided to finish what I started. I will probably finish with this post. If you want to learn more about HTTP, I strongly recommend the O'Reilly HTTP Definitive Guide. It is from 2002, but HTTP has not changed much, if at all, since then, so it is still a very relevant text.
HTTP Response MessagesAs we discussed last time, HTTP requests are made from a client to a server to request a specific resource. The server processes that request and returns a response. That response must also be formatted properly and contain specific information for the client to understand it and either display the resource or display the reason that the resource was unavailable.
I'm still feeling pretty under the weather, but I just have to get a blog post done or I won't be able to live with myself over the weekend. So here is a continuation of my HTTP series. There is a lot more to learn about this basic protocol than I ever expected. It makes me want to stop calling it "basic". :)
I have been sick the last few days and it has slowed my posting. I hope to be back on track soon.
I am posting now to let you know that I will be speaking at the Twin Cities ColdFusion User Group meeting this Wednesday March 4th @ 6:30.
My presentation will be an introduction to HTTP. Here is the description: