Accessibility

TechNote (Archived)

Security Best Practice: URL session variables and HTTP_REFERER

URL Session Variables Security Risks

Because the web is a stateless environment, there are several mechanisms that people use to track users as they move through an application. The most common mechanism is to set cookies with user ID and session ID, then track the user based on those cookies as they use the application. But, in the cases where cookies are not acceptable, the session information will typically be passed in URL variables, which can expose some not so obvious risks.

In some cases, developers will create the session state architecture on their own, but when developers use ColdFusion session state management they inherit this system from ColdFusion. ColdFusion provides web developers with the ability to store values on the server side that are unique to a user's "session" at the site. ColdFusion relies on two "token" values passed between the client browser and the ColdFusion Server to be able to distinguish one user's session variables from another's. These two token values are named "CFID" and "CFTOKEN", and together represent a unique visitor's session.

If session variables are being used by an application, ColdFusion's default behavior is to issue two browser cookies with numeric values named "CFID" and "CFTOKEN". For each subsequent trip to the server, ColdFusion uses these cookies to look up state information stored on the server. However, for sites which do not wish to use or rely on cookie browser support, the "CFID" and "CFTOKEN" values can be appended to the URL as variables using the URLTOKEN variable. ColdFusion will also automatically find and use these values.

Under normal circumstances, passing session information on a URL is not a problem, but there are potential risks that developers need to avoid when they code applications that pass session variable information, or any sensitive information on a URL. In general, you should avoid sending any sensitive information on a URL string out of your application:

  • Passing session ID data out of the application on the URL. The obvious mistake is to append the session information to a URL that is linking out of the application to another site. This will transfer the information to the other site where it can potentially be captured and used to mimic the user for unauthorized access.
  • Passing session ID data out of the application through the HTTP_REFERER header variable. Every HTTP request (hyperlink) includes an HTTP Header with a set of environment variables. One of the variables is "HTTP_REFERER." This variable contains the URL that was used to access the page that is being linked from. So if you are navigating through an application with URL based session variables then you click a clean link from the application to another site, the HTTP_REFERER variable may contain the URL with the session data. As with the first example, this could then be used to spoof the user and return to the site for unauthorized access.

Addressing URL Session Variable Security Risks

There are several different ways to help protect against the potential risks described above:

  • Don't pass session ID information on the URL. If you use cookies instead this will prevent the problem of accidentally passing session ID information out of a site.
  • Link to pages leaving an app with forms. You can link to pages that have links out of the application using forms instead of URLs. When you link to a page with a form, passing the session information in a hidden form field, the HTTP_REFERER variable that is created on the next link will not contain the session information.
  • Use other data to check users during sessions. Most systems will have a user ID that is unique for the user and a session ID that is unique for the session. In addition, you can use an IP address as another environment variable not based on the URL to help to confirm that your application is in fact talking with the right user. (If you are using ColdFusion session state management you cannot use this technique.)
  • Keep session timeouts short. Typically sessions are designed to "timeout" after a certain period of inactivity. It is a good idea to keep the session timeout length short (e.g. 10 -15 minutes) so that session IDs become invalid faster, which will leave less time for possible unauthorized access without authentication.

In the end, well designed and properly coded ColdFusion applications can securely manage state information, but it is important for developers and application architects to payattention to the particular issues associated with URL variables and HTTP_REFERER.

Adobe is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Adobe product, please send an email to secure@adobe.com. We will work to appropriately address and communicate the issue. For more information about security issues, notifications and other resources, please visit the Adobe Security Zone at www.adobe.com/devnet/security/security_zone.

AlertThis content requires Flash

To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.

Download the free Flash Player now!

Get Adobe Flash Player

Creative Commons License

Search Support


Document Details

ID:tn_17255
Browser:Chrome
Internet Explorer
Netscape
Opera
Safari
Firefox
Database:DB2
Informix
MySQL
Oracle
SQL Server
Sybase
MS Access

Products Affected:

coldfusion