Cftoken is always zero?

Porting an app over from ACF to Lucee 5, and noticed that cftoken is always
“0” (Zero). Is this normal/expected behavior? The combination of cfid and
cftoken would normally make a session harder to hijack, wouldn’t it?

cftoken is always 0 in Lucee as it was in Railo before it. Not sure about
making it harder, as both as stored in a cookie and/or passed in the URL.
If the connection is not over SSL then an attacker can potentially see both
in clear text then they have both, so it doesn’t really make anything
harder.

I think in ACF that the CFID was (maybe still is) a sequential number so
the cftoken was there to make it harder (maybe) to guess but in Lucee this
is not the case, the ID is much more random.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.orgOn 22 December 2016 at 22:16, M F <@Franc_Amour> wrote:

Porting an app over from ACF to Lucee 5, and noticed that cftoken is
always “0” (Zero). Is this normal/expected behavior? The combination of
cfid and cftoken would normally make a session harder to hijack, wouldn’t
it?


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/
msgid/lucee/adbb8af2-c4ba-4fda-abbc-fa46c2fb2ab9%40googlegroups.com
https://groups.google.com/d/msgid/lucee/adbb8af2-c4ba-4fda-abbc-fa46c2fb2ab9%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

1 Like

To elaborate on what Andrew said…

In ACF yes it (still) does use the combination of cfid and cftoken for
sessions, however as Andrew noted the fact that these are available in
cookies (or if programmed poorly, the URL), SSL or not, doesn’t make how
ACF handles session cookies any more secure. Frankly, cfid could be removed
from both engines as far as I’m concerned - it adds nothing to security and
is only present in Lucee for ACF compatibility. That said, I believe Lucee
still uses cftoken for session generation, it’s just always zero.

Now, how to make sessions more secure is another matter entirely, and one
recommendation is to rotate your sessions on every request (thus the cftid
cookie value changes on every request. See:
http://cfdocs.org/sessionrotate), use CSRF functions on forms (with a
random key and forcing a new token. See:
http://cfdocs.org/csrfgeneratetoken and http://cfdocs.org/csrfverifytoken),
etc., etc.

More robust session management can be done using your own cookies in a
hybrid way with cfid - your cookie maintains the authorization state while
cfid maintain the session scope (and the authorization state uses the
session scope. See: http://cfdocs.org/security - scroll down to ‘Code
Security’ and follow the links).

Just a couple observations/pointers about sessions and session management
in CFML. HTH!

– Denny

Edit: Frankly, cftoken could be removed from both engines […]

Sorry, I haven’t finished my first cup of coffee yet :stuck_out_tongue:

Thanks very much Andrew. I didn’t jump from ACF until Lucee, so I never
got to experience Railo, and yep, i get it why cftoken really doesn’t
matter here.On Thursday, December 22, 2016 at 5:32:45 PM UTC-5, Andrew Dixon wrote:

cftoken is always 0 in Lucee as it was in Railo before it. Not sure about
making it harder, as both as stored in a cookie and/or passed in the URL.
If the connection is not over SSL then an attacker can potentially see both
in clear text then they have both, so it doesn’t really make anything
harder.

I think in ACF that the CFID was (maybe still is) a sequential number so
the cftoken was there to make it harder (maybe) to guess but in Lucee this
is not the case, the ID is much more random.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org

On 22 December 2016 at 22:16, M F <advan...@gmail.com <javascript:>> wrote:

Porting an app over from ACF to Lucee 5, and noticed that cftoken is
always “0” (Zero). Is this normal/expected behavior? The combination of
cfid and cftoken would normally make a session harder to hijack, wouldn’t
it?


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/adbb8af2-c4ba-4fda-abbc-fa46c2fb2ab9%40googlegroups.com
https://groups.google.com/d/msgid/lucee/adbb8af2-c4ba-4fda-abbc-fa46c2fb2ab9%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.