TechNote (Archived)

How to write CFID and CFTOKEN as per-session cookies

Issue

Some websites do not wish to write a persistent cookie to the client's browser for security reasons. This article explains how to write ColdFusion's session variables as per-session or non-persistent cookies.

Background information:

Persistent cookies are cookies that exist even after a client browser is closed. For instance, if a customer visits a website, and checks "Remember My Login" next to her username and password, the website is likely writing a persistent cookie to her hard drive. When the customer returns, the website reads her cookie file for cookies associated with the site, and returns information based on the associated cookie values. Per-session cookies are non-persistent, however, meaning they are written to the customer's browser memory not the customer's hard drive. In short, per-session cookies only exist for the duration of the browser session; whereas, persistent cookies remain available for future browser sessions.

ColdFusion Application and Session management must be enabled in the ColdFusion Administrator and initialized with thecfapplication tag. Traditional ColdFusion session management uses the CFID and CFTOKEN values to track a user's browser session. The Application name, and the CFID and CFTOKEN values comprise theSESSION.SESSIONID value. By default, all ColdFusion versions write CFID and CFTOKEN as persistent cookie values in the client browser with thecfapplication tag.

Note: To strengthen the CFTOKEN value by making it a unique number, read ColdFusion (All Versions): How to guarantee unique cftoken values.

Changes in ColdFusion MX:

ColdFusion MX (CFMX) introduces J2EE servlet session management in addition to the traditional ColdFusion session management. J2EE session management enables the sharing of session information between ColdFusion pages and JSP pages or servlets within a single application. With J2EE session management, ColdFusion uses a new variable, the JSESSIONID, to track a user's browser session instead of CFID/CFTOKEN. ColdFusion MX still creates the CFID and CFTOKEN values, however, but these values are no longer used to uniquely identify browser sessions. J2EE session management does not require an Application name, so the SESSION.SESSIONID value becomes the JSESSIONID. Because theJSESSIONID is always written as a per-session value, it is destroyed when the browser is closed and a new one is created with each new browser session.

To enable J2EE session variables you must also enable ColdFusion session variables. Read ColdFusion MX: How to enable J2EE session management in CFMX for more details.

Issue: Preventing CFID andCFTOKEN From Causing Security Issues

For security reasons, some websites wish to setCFID and CFTOKEN as per-session cookies instead of persistent cookies. In this case, use the SetClientCookies attribute of the cfapplication tag. The default value for SetClientCookies is "Yes." By setting SetClientCookies to "No", however, ColdFusion Server does not automatically send the CFID and CFTOKENcookies to the client browser. Consequently, CFID andCFTOKEN must be coded in the URL string and passed to every page that uses SESSION and/orCLIENT variables.

An important security note: Coding sensitive data such asCFID and CFTOKEN in the URL string is a security risk. Please read Security Best Practice: URL session variables and HTTP_REFERER for more details.

Solution

There are several ways to solve this problem. First, in all ColdFusion versions, set the SetClientCookies attribute to "No" in your cfapplication tag, and then explicitly set theCFID and CFTOKEN values as per-session cookies. Using the cfcookie tag without the Expires attribute sets the cookies in browser memory, and usingcfcookie tag with the Expires attribute equal to "Now," deletes previously existingCFID/CFTOKEN cookies. We have included a code sample below:

Use the following code to delete previously existingCFID and CFTOKEN cookies:

 <CFCOOKIE NAME="CFID" VALUE="#CFID#" EXPIRES="NOW"><CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#"  EXPIRES="NOW">

Use the following code to set per-session cookies instead of persistent cookies:

For Session Management:

 <!--- With Session Management Enabled ---><CFAPPLICATION NAME="myCFApp" SESSIONMANAGEMENT="YES"       SETCLIENTCOOKIES="NO"><!--- CF will not set the client cookies automatically, so       set them manually as per-session cookies ---><cfif not IsDefined("Cookie.CFID")><CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="5"><CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#"><CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#"></CFLOCK></cfif>

Note: In ColdFusion version 5 and earlier, if you did not lock shared scope variables, it caused corrupt blocks of application memory, resulting in server instability or crashes. This is no longer the case with ColdFusion MX and higher. However, it may be necessary to use cflock in some cases to avoid race conditions in your application code. Please see ColdFusion MX: Best practices for locking shared scope variables for more details.

For Client Management:

 <!--- With Client Management Enabled ---><CFAPPLICATION NAME="myCFApp" CLIENTMANAGEMENT="YES"       SETCLIENTCOOKIES="NO"><!--- CF will not set the client cookies automatically,     so set them manually as per-session cookies ---><CFCOOKIE NAME="CFID" VALUE="#CLIENT.CFID#"><CFCOOKIE NAME="CFTOKEN" VALUE="#CLIENT.CFTOKEN#">

In ColdFusion MX, choose J2EE session management in the ColdFusion Administrator. The JSESSIONID value replaces CFID/CFTOKEN (SESSION.SESSIONID = JSESSIONID) and is non-persistent by default. You should still set the SetClientCookies attribute ofcfapplication to "No." ColdFusion MX will continue to produce the CFID/CFTOKEN values. But since these values will change with each request you will need to set theCFID/CFTOKEN values using the client management example code above.

Important note: The cflocation tag prevents Cookie values from being written. See Cookies and cflocation, for more details. Additionally, you must set the client variable storage to data source or registry. Setting the client variable storage to cookie will cause the code above to fail.