CFML Sessions for Dummies

Transcript

1. CFML Sessions for Dummies Eric Peterson

2. What this talk isn't ! · Live coding · Outlining

   best practices · For people who use sessions and either already know or don't care that much how they work

3. What this talk is ! · Theory — definitions and

   examples · Understanding the what and the why rather than the when would I use this · For people who use sessions and don't know how they work

4. Other Sessions Right Now · PostCSS: A Dumb Name For

   An Awesome Thing Room 238 · SQL Server Tips For Everyday Programmers Room 334 · Crash Course In Ionic & AngularJS Auditorium

5. Who am I? Eric Peterson ! Utah " O.C. Tanner

   # 1 wife, 1 kid

6. What is a session?

7. Disclaimer: Out of the box setup (Other setups later)

8. What is a session? · Data stored in memory on

   the server · Client variables used to access the data on the server

9. Data stored in memory on the server

10. Data stored in memory on the server · Data is

    lost when not accessed within a time-out period · Data is available only to a single client and application · Any CFML data type can be stored

11. Data stored in memory on the server Data is accessed

    by using a combination of a CFID and a CFTOKEN · CFID: A sequential client identifier · CFTOKEN: A random client security token

12. What do you get in the session scope by default?

13. And any data you add yourself! session.simpleValue = 5; session.complexValue

    = [ { id = 1, permissions = [/* ... */] } ]; session.user = new User(/* ... */);

14. Other Facts · CFID and CFTOKEN are reused by the

    client when starting new sessions (if possible) · Someone with your CFID and CFTOKEN could access your session · For this, reason it's bad to pass it in the query string. Use Client Variables instead

15. Client variables used to access the data on the server

16. Client Variables = Cookies

17. Default Cookies stored when using Sessions

18. Client variables used to access the data on the server

    If you didn't use cookies, you'd have to pass these values in the url or form every time Which makes them very easy to steal and hijack a session

19. So don't do that! !

20. Enabling Sessions in your CFML Applications

21. Enabling Sessions in your CFML Applications component { // Required

    this.name = 'MyAwesomeApp'; this.sessionManagement = true; // Optional: default timeout is 20 minutes this.sessionTimeout = createTimeSpan(0, 0, 45, 0); }

22. Session Lifecycle

23. What starts a session?

24. A user coming to your website

25. During a Session

26. Reading and Writing to the Session // write values to

    the session session.favorites = [1, 45, 67, 109]; // read values from the session local.favorites = session.favorites; // though, it is smart to check that // the value exists first. if (structKeyExists(session, 'favorites')) { local.favorites = session.favorites; } else { local.favorites = []; }

27. Session Locks

28. Session Locks function getProductCount() { lock scope="session" type="read" timeout="2" throwontimeout="true"

    { return session.items; } } function incrementProductCount(count) { lock scope="session" type="exclusive" timeout="2" throwontimeout="true" { session.items += count; } }

29. When do you use session locks? Race Conditions

30. SessionRotate() Available in ACF10+ and Lucee 4.5+ 1. Invalidates the

    current session 2. Creates a new session 3. Migrates the data from the old to the new 4. Overwrites the old cookies with the new

31. "Best Practices" · Keep your session scope small · Only

    store lookup values in your session scope (like userId) · Especially avoid storing values shared between users in the session scope · SessionRotate() a!er a successful login1 1 See Learn CF in a Week for more session security tips

32. Ending a Session

33. What does not end a session? · Logging out ·

    Closing the browser · structClear(session)

34. What does end a session? · Session Timeout · sessionInvalidate()

    (ACF10+ and Lucee 4.5+)

35. Session Lifecycle Methods function onSessionStart() { // set defaults for

    session values // you want to make sure are available session.sessionStartedAt = Now(); } function onSessionEnd(applicationScope, sessionScope) { if (sessionScope.isShopping) { // clean up any long standing objects // Log any important messages applicationScope.shoppingInsightLogger.info( 'User timed out while shopping at #Now()#' ); } }

36. J2EE Sessions

37. J2EE Sessions · Uses the servlet (e.g. Tomcat) for session

    management · Share session information between ColdFusion and other servlet applications

38. J2EE Sessions · Does not reuse the session identifiers ·

    Generates a new identifier for each session, reducing the impact of the the! of the token · Can terminate the session manually getPageContext().getSession().invalidate();

39. ColdFusion Sessions vs. J2EE Sessions Which should you use?

40. Storing your session data elsewhere (Not in memory on the

    server)

41. First off, Why?

42. Server Clusters

43. Server Clusters If your session information is being stored in

    the memory of a server, then only that one server can handle all your requests. In other words, you can't scale.

44. What are our options? · Don't use the session scope

    ! · Store the session scope somewhere else "

45. The Hard Way: Manual Session Management

46. Do it yourself ! function onRequestStart() { var urlToken =

    'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); StructAppend( session, sessionClient.get(id = urlToken, deserialize = true), true ); } function onRequestEnd() { var urlToken = 'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); sessionClient.set(id = urlToken, session ); }

47. One Easy Way: Session Storages (Requires ColdFusion 2016+ or Lucee

    4.5+)

48. Done

49. Another Easy Way: J2EE Sessions Sticky sessions at the servlet

    level

50. Done

51. Extras

52. First, Session Fixation An attacker provides the session identifiers in

    order to try and know them <a href="http://a-legitimate-site.com/?CFID=b1c8-30f3469ba7f7&CFTOKEN=2"> Click here for free stuff! </a>

53. How this can cause Session Loss More than one CFML

    application on the same domain2 2 Pete Freitag, Session Loss and Session Fixation in ColdFusion, March 01, 2013

54. HTTPOnly Cookies · These cookies are only available over HTTP

    connections, NOT Javascript

55. HTTPOnly Cookies Set once for the entire application // CF

    10+ & Lucee 4.5+ this.sessioncookie.httponly = true; # Java JVM args (CF 9.0.1+) -Dcoldfusion.sessioncookie.httponly=true

56. HTTPOnly Cookies OR set them manually <!-- CF 9+ &

    Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly" />

57. SSL Enable the secure flag on your cookies // CF

    10+ & Lucee 4.5+ this.sessioncookie.secure = true; <!-- CF 9+ & Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" secure="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly;secure" />

58. Turning off client management If you are setting your own

    cookies, remember to turn off client management // Application.cfc component { this.clientmanagement = false; }

59. Questions !

60. Other talks at dev.Objective() Live Testing a Legacy App Thursday

    1:45 PM to 2:45 PM

61. Thank You!! elpete @_elpete ! dev.elpete.com