Pesistant session

Nathaniel_kelly · April 30, 2018, 2:08pm

Following a security audit we have a issue where the cfid and cftoken have the expires set:

Set-Cookie: cfid=911de6b8-49f2-4ab2-9e03-ab8d3be23dcf;Path=/;Expires=Tue, 28-Apr-2048 21:16:39 GMT;HTTPOnly
Set-Cookie: cftoken=0;Path=/;Expires=Tue, 28-Apr-2048 21:16:39 GMT;HTTPOnly

I’d like to set the Expires bit to session or just omit it all together, so that when the browser closes the session ends. I can’t find anything that will allow me to do that.

Can anyone advise? Should I turn off the automatic session handling and set the cookies myself without the expires key?

Some info:
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

Zackster · April 30, 2018, 2:26pm

have a look at this issue
https://luceeserver.atlassian.net/browse/LDEV-809

Nathaniel_kelly · April 30, 2018, 3:33pm

Thanks @Zackster - seems Pete Freitag suggested

this.sessionCookie = { httpOnly=true, secure=true, timeout=-1 };

Where the timeout=-1 makes it a browser session cookie - Looking at the commit associated it not clear that was done. Trying it out on the latest lucee (5.2.6.60) and the timeout is still set in the header:

Set-Cookie: cfid=e1cdd068-e119-40ad-9662-21e021f805c4;Path=/;Expires=Sun, 20-May-2018 17:11:06 UTC;HTTPOnly
Set-Cookie: cftoken=0;Path=/;Expires=Sun, 20-May-2018 17:11:06 UTC;HTTPOnly

I’ll try manually setting the cfid and cftoken cookies. If anyone else has experience of this let me know! I’ll post anything I can get working…

kabutotx · May 1, 2018, 3:21am

Maybe a web server setting?
Doesn’t sessioninvalidate() clear CFID and CFTOKEN now? Haven’t tried it.

Nathaniel_kelly · May 1, 2018, 7:33am

Thanks @kabutotx but I’m not invalidating the cookie directly, I am making sure when the browser closes the cookie is no longer active - hence the Expires setting. A work around is this in application.cfc:

public void function onSessionStart()
	{
		sessionRotate();
		if(cgi.https == 'on')
		{
			header 
				name="Set-Cookie" 
				value="CFID=#session.CFID#;Secure;HttpOnly;path=/;";
			header 
				name="Set-Cookie" 
				value="CFTOKEN=#session.CFTOKEN#;Secure;HttpOnly;path=/;";
		}else{
			header 
				name="Set-Cookie" 
				value="CFID=#session.CFID#;HttpOnly;path=/;";
			header 
				name="Set-Cookie" 
				value="CFTOKEN=#session.CFTOKEN#;HttpOnly;path=/;";
		}
	}

With

this.setclientcookies=false; // we are handling the headers for these

So Lucee doesn’t set them. The if statement here is so the cookie is set correctly locally (without HTTPS) as well as on production (with HTTPS) This way the cookie has no expiry set, and so expires when the browser is closed.

The next issue is that sessionRotate(); and CSRFGenerateToken() don’t play nice with each other - the token is always invalid

Again if anyone has experience of doing this and can suggest a better way, let me know.