URL Session Tokens easily compromised - Security Series #6.4

I have said on several occasions that catering to users who insist on disabling cookies is a bad idea. I have blogged a couple times on the reasons.

So why am I suddenly bringing this topic up again? Well I recently read (I cannot recall where, it was probably on the OWASP site) about a way that session tokens in URLs can be easily compromised. I am a little embarrassed that I never realized that this vulnerability existed before. It is pretty simple.


AIR Tip: Cookie Sharing between AIR and Web Browsers

This is something I came across at work that I thought I would share, because at first, it had me scratching my head.

Internally, Adobe AIR uses webkit as a "browser" which is great, and as expected, it actually behaves like a browser, including cookie support for access to external resources. Which means that when you are making remote calls to resources, you can use cookies to maintain sessions, or for information tracking.


Session token rotation REVISITED - Security Series #12.3.3 and #6.4.3

I posted on Friday about my experimental code for session token rotation and I got some great comments (thanks Peter and Brian). Brian stated in his comment that because I am using a <cflocation>, which is a 302 HTTP redirect, it could cause problems with legitimate deep-linking, plus, using <cflocation> feels like a hack. I agree with the latter. I was not happy with using <cflocation>, but it was all I could think to do at the time.

So I gave it some more thought this weekend and came up with a new way of doing it that uses <cfhttp> instead of a redirect. I am MUCH happier with this method for a couple of reasons.


Session token rotation - Security Series #12.3.2 and #6.4.2

This is a continuation of a topic that I have been blogging about and thinking about for a long time. Session management and cookie security are really interesting topics that I could yammer on about for hours. Go ahead, ask my wife.

About 3 months ago, Ben Nadel blogged about a behavior of ColdFusion that I found troubling.


JSESSIONID Session Token Cookie - Important update to previous post

I made a couple of errors in my previous post about setting the SECURE, PATH and HTTPOnly attributes of the JSESSIONID token cookie. The code has been updated and now works better than before. Please see the update here.

Making the JSESSIONID Session Token Cookie SECURE and HTTPOnly and settings its PATH

Wow, I have been working on this one for a while. I am almost embarrassed to admit that I have spent upwards of 9 hours learning how cookies work in ColdFusion and the JEE server (including another full hour since I started writing this post). A lot of testing and trying out different things has resulted in a lot of frustration, a little code, and (hopefully) a solution.

I have complained before that when using J2EE session management in ColdFusion, that the session token cookies are difficult to work with. When trying to do things like set a specific PATH, or set the cookie as SECURE or HTTPOnly, it can, many times, result it creating duplicate cookies. Well, I think I have finally come up with a method of setting the JSESSION token's PATH, SECURE, and HTTPOnly attributes without this duplication.


Using WebScarab with Adobe AIR to Monitor HTTP Traffic

Wow. What a busy few weeks. But now that I have completed my cf.Objective() presentation, and given a practice presentation to the Twin Cities ColdFusion User Group, and I have caught up on things at work, I am finally back at my desk, jamming to some Miley Cyrus Aly & AJ Metallica and pumping out code.

My current project is an Adobe AIR application that, on occasion, needs to talk to a remote server. I am using jQuery to make the requests to the remote server, though I could, just as easily use AIR's URLLoader.


The Basics of HTTP - Part 3 - The Response

So I wasn't sure if I was going to continue this series. I had been sick for a while and I am already done with my presentation (the reason for my research). But I've decided to finish what I started. I will probably finish with this post. If you want to learn more about HTTP, I strongly recommend the O'Reilly HTTP Definitive Guide. It is from 2002, but HTTP has not changed much, if at all, since then, so it is still a very relevant text.

HTTP Response Messages

As we discussed last time, HTTP requests are made from a client to a server to request a specific resource. The server processes that request and returns a response. That response must also be formatted properly and contain specific information for the client to understand it and either display the resource or display the reason that the resource was unavailable.


The Basics of HTTP - Part 2 - The Request

I'm still feeling pretty under the weather, but I just have to get a blog post done or I won't be able to live with myself over the weekend. So here is a continuation of my HTTP series. There is a lot more to learn about this basic protocol than I ever expected. It makes me want to stop calling it "basic". :)

In order for a client (web browser, web service, etc) to get a resource (HTML page, image, JavaScript file, flash file, etc) from an HTTP server (web server like IIS or Apache) it must request the resource. That request must be made and formatted in a certain way for it to work.


I will be speaking at TCCFUG this Wednesday March 4th 2009

I have been sick the last few days and it has slowed my posting. I hope to be back on track soon.

I am posting now to let you know that I will be speaking at the Twin Cities ColdFusion User Group meeting this Wednesday March 4th @ 6:30.

My presentation will be an introduction to HTTP. Here is the description:


More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner