TechNote

How to guarantee unique CFToken values

Issue

By default, Macromedia ColdFusion Server versions 4.5 and 5 assign a random eight-digit integer as a CFTOKEN value. ColdFusion MX uses a cryptographic-strength generator to create the random eight-digit CFTOKEN value. ColdFusion Server no longer validates any part of this token, allowing users to reassign this to any value they choose. It is possible for the same CFTOKEN value to be given to more than one user. This TechNote describes a simple change that will guarantee that ColdFusion Server generates globally uniqueCFTOKENs.

Important note: While this is a rare occurrence, it can be a security problem if the same CFTOKEN value were used to validate a user session and was assigned to two different users.

Solution

To ensure globally unique CFTOKENs, use the following steps:

For ColdFusion 4.5 and 5:

On Windows:

Select Start > Run.
Type "regedit" and click OK.
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\Clients\UuidToken If the key does not exist, right click on the Clients key and choose New > String Value. Name the key Uuidtoken.
Right click the UuidToken registry key. Select Modify.
Enter a non-zero string value.
Restart the Cold Fusion Application service.

On Linux\Unix:

Stop the ColdFusion processes (./cf_root/bin/stop -force).
Open the cf_root/registry/cf.registry file in an editor (vi, emacs, etc.).
Navigate to the following registry key:
hkey_local_machine\software\allaire\coldfusion\currentversion\clients:7
Add the following entry ” note the case ” for this key on the line below the "TimeOut" entry:
UuidToken:1;REG_SZ
Save the file and close the editor.
Restart the ColdFusion processes (./cf_root/bin/start).

For ColdFusion MX and MX 6.1:

Log in to the ColdFusion Administrator.
Click Settings in the left navigation.
Check the box next to "Use UUID for CFTOKEN."
Click the "Submit Changes" button.
Log out of the ColdFusion Administrator.
Restart the ColdFusion MX Application service.

With UuidToken enabled, ColdFusion Server 4.5 and 5 create theCFTOKEN value with the same algorithm to generate a random number concatenated with a UUID (Universally Unique ID), which is guaranteed to be globally unique. Using the random number prevents users from guessing UUIDs. Additionally, since only a small portion of a UUID changes with each CFTOKEN assignment, this makes database queries more efficient. A typical ColdFusion 4.5 and 5 CFTOKEN looks similar to the following: 57c6419-f0c43bb2-9e8d-11d3-8b87-00c04fa35ba5.

ColdFusion MX creates the UUID CFTOKEN by prepending a random 16-digit hexadecimal number to a ColdFusion UUID value. The resulting CFTOKEN value looks similar to the following: 3ee6c307a7278c7b-5278BEA6-1030-C351-3E33390F2EAD02B9.

ColdFusion Server 4.5 users who enable the UuidToken registry key and who are storing client variable information in a database must increase the size of the 'cfid' field in the CDATA and CGLOBAL tables in their client storage database. Users should change the size of the field from 20 characters to a minimum of 50 characters, due to the increased length of the CFTOKEN value.

In ColdFusion Server 5 and above, the default size for the client database fields is 64 characters. Therefore, no changes are required for the created client database tables.

In short, users may have to modify fixed length limits in other applications (such as increase the character limit on a form field, increase the field size of a database field, and so forth) if they are storing the CFTOKEN value in a fixed length field.