Problems with value in session

Junior · January 15, 2025, 8:13pm

I’m performing a security check on a form with the following logic: I have a hidden input in the form that receives a CreateUUID() value, and the same value goes into the session.

Example:

session.IdTemp = CreateUUID();
<input name="test" type="hidden" value="#session.IdTemp#">

On the page that receives the form submission, I validate if the input value is the same as the session value. If positive, I clear the session value and continue the flow. If the client clicks the submit button multiple times, the second time will hit the session without a value and the input with a value, so I abort the flow.

<cfif form.test EQ session.IdTemp >
	<cfset session.IdTemp = "">
<cfelse>
    <cfabort>
</cfif>

However, when I use <cfset session.IdTemp = ""> to clear the session, the code behaves as if the page had been reloaded. It enters the IF statement, clears the session, and then goes to the ELSE immediately after, aborting the page. If I remove the set that clears the session, the flow works as it should, only entering the IF statement.

Has anyone seen this?

Thanks

OS: Windows Server 2022 Standard
Java Version: 11.0.20.1
Tomcat Version: 9.0.80
Lucee Version: 6.0.0.585

BK_BK · January 16, 2025, 2:12pm

I think that the code is probably behaving as it should. Every time you open the form page, a new UUID is created. This UUID is stored in session scope, overwriting any previously stored session.IdTemp value such as “”. Hence, the cfif always runs when you submit the form.

If you don’t want the cfif to always run, then put a condition on the creation of a new UUID. Some additional suggestions for completeness:

Use method="post" for the form;
Enclose the input tag with cfoutput;
Use dump for testing.

<cfscript>
        // Use the logic appropriate to your needs
	 if (!structKeyExists(session, "IdTemp") or len(session.IdTemp) neq 35) {
	 	session.IdTemp = createUUID();
	 } 
</cfscript>

<form method="post">
	<cfoutput><input name="test" type="hidden" value="#session.IdTemp#"></cfoutput>
	<input name="sbmt" type="submit" value="Submit">
</form>

<cfdump var="#form#" >