Session token rotation REVISITED - Security Series #12.3.3 and #6.4.3
I posted on Friday about my experimental code for session token rotation and I got some great comments (thanks Peter and Brian). Brian stated in his comment that because I am using a <cflocation>, which is a 302 HTTP redirect, it could cause problems with legitimate deep-linking, plus, using <cflocation> feels like a hack. I agree with the latter. I was not happy with using <cflocation>, but it was all I could think to do at the time.
So I gave it some more thought this weekend and came up with a new way of doing it that uses <cfhttp> instead of a redirect. I am MUCH happier with this method for a couple of reasons.
Very interest posts (this and the last). You've got me thinking about some stuff that I'll try to post. Out of curiosity, how come you use CFHeader to set the cooke and not CFCookie?
<cfcookie> does not support the HTTPOnly attribute. It is a best practice to set session token cookies to be HTTPOnly so they cannot be compromised through the use of XSS attacks. I did not do that for these examples for the sake of clarity, but it probably would have been a good idea.
You can read more about it here: http://www.12robots.com/index.cfm/2009/1/5/mmmmMMm...