CFML Sessions for Dummies

CFML Sessions for Dummies

A introduction to CFML sessions (with a bit of J2EE sessions sprinkled in).

Cbddee54e0016667b9bcb0fdec4ab21e?s=128

Eric Peterson

June 16, 2016
Tweet

Transcript

  1. CFML Sessions for Dummies Eric Peterson

  2. What this talk isn't ! · Live coding · Outlining

    best practices · For people who use sessions and either already know or don't care that much how they work
  3. What this talk is ! · Theory — definitions and

    examples · Understanding the what and the why rather than the when would I use this · For people who use sessions and don't know how they work
  4. Other Sessions Right Now · PostCSS: A Dumb Name For

    An Awesome Thing Room 238 · SQL Server Tips For Everyday Programmers Room 334 · Crash Course In Ionic & AngularJS Auditorium
  5. Who am I? Eric Peterson ! Utah " O.C. Tanner

    # 1 wife, 1 kid
  6. What is a session?

  7. Disclaimer: Out of the box setup (Other setups later)

  8. What is a session? · Data stored in memory on

    the server · Client variables used to access the data on the server
  9. Data stored in memory on the server

  10. Data stored in memory on the server · Data is

    lost when not accessed within a time-out period · Data is available only to a single client and application · Any CFML data type can be stored
  11. Data stored in memory on the server Data is accessed

    by using a combination of a CFID and a CFTOKEN · CFID: A sequential client identifier · CFTOKEN: A random client security token
  12. What do you get in the session scope by default?

  13. And any data you add yourself! session.simpleValue = 5; session.complexValue

    = [ { id = 1, permissions = [/* ... */] } ]; session.user = new User(/* ... */);
  14. Other Facts · CFID and CFTOKEN are reused by the

    client when starting new sessions (if possible) · Someone with your CFID and CFTOKEN could access your session · For this, reason it's bad to pass it in the query string. Use Client Variables instead
  15. Client variables used to access the data on the server

  16. Client Variables = Cookies

  17. Default Cookies stored when using Sessions

  18. Client variables used to access the data on the server

    If you didn't use cookies, you'd have to pass these values in the url or form every time Which makes them very easy to steal and hijack a session
  19. So don't do that! !

  20. Enabling Sessions in your CFML Applications

  21. Enabling Sessions in your CFML Applications component { // Required

    this.name = 'MyAwesomeApp'; this.sessionManagement = true; // Optional: default timeout is 20 minutes this.sessionTimeout = createTimeSpan(0, 0, 45, 0); }
  22. Session Lifecycle

  23. What starts a session?

  24. A user coming to your website

  25. During a Session

  26. Reading and Writing to the Session // write values to

    the session session.favorites = [1, 45, 67, 109]; // read values from the session local.favorites = session.favorites; // though, it is smart to check that // the value exists first. if (structKeyExists(session, 'favorites')) { local.favorites = session.favorites; } else { local.favorites = []; }
  27. Session Locks

  28. Session Locks function getProductCount() { lock scope="session" type="read" timeout="2" throwontimeout="true"

    { return session.items; } } function incrementProductCount(count) { lock scope="session" type="exclusive" timeout="2" throwontimeout="true" { session.items += count; } }
  29. When do you use session locks? Race Conditions

  30. SessionRotate() Available in ACF10+ and Lucee 4.5+ 1. Invalidates the

    current session 2. Creates a new session 3. Migrates the data from the old to the new 4. Overwrites the old cookies with the new
  31. "Best Practices" · Keep your session scope small · Only

    store lookup values in your session scope (like userId) · Especially avoid storing values shared between users in the session scope · SessionRotate() a!er a successful login1 1 See Learn CF in a Week for more session security tips
  32. Ending a Session

  33. What does not end a session? · Logging out ·

    Closing the browser · structClear(session)
  34. What does end a session? · Session Timeout · sessionInvalidate()

    (ACF10+ and Lucee 4.5+)
  35. Session Lifecycle Methods function onSessionStart() { // set defaults for

    session values // you want to make sure are available session.sessionStartedAt = Now(); } function onSessionEnd(applicationScope, sessionScope) { if (sessionScope.isShopping) { // clean up any long standing objects // Log any important messages applicationScope.shoppingInsightLogger.info( 'User timed out while shopping at #Now()#' ); } }
  36. J2EE Sessions

  37. J2EE Sessions · Uses the servlet (e.g. Tomcat) for session

    management · Share session information between ColdFusion and other servlet applications
  38. J2EE Sessions · Does not reuse the session identifiers ·

    Generates a new identifier for each session, reducing the impact of the the! of the token · Can terminate the session manually getPageContext().getSession().invalidate();
  39. ColdFusion Sessions vs. J2EE Sessions Which should you use?

  40. Storing your session data elsewhere (Not in memory on the

    server)
  41. First off, Why?

  42. Server Clusters

  43. Server Clusters If your session information is being stored in

    the memory of a server, then only that one server can handle all your requests. In other words, you can't scale.
  44. What are our options? · Don't use the session scope

    ! · Store the session scope somewhere else "
  45. The Hard Way: Manual Session Management

  46. Do it yourself ! function onRequestStart() { var urlToken =

    'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); StructAppend( session, sessionClient.get(id = urlToken, deserialize = true), true ); } function onRequestEnd() { var urlToken = 'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); sessionClient.set(id = urlToken, session ); }
  47. One Easy Way: Session Storages (Requires ColdFusion 2016+ or Lucee

    4.5+)
  48. Done

  49. Another Easy Way: J2EE Sessions Sticky sessions at the servlet

    level
  50. Done

  51. Extras

  52. First, Session Fixation An attacker provides the session identifiers in

    order to try and know them <a href="http://a-legitimate-site.com/?CFID=b1c8-30f3469ba7f7&CFTOKEN=2"> Click here for free stuff! </a>
  53. How this can cause Session Loss More than one CFML

    application on the same domain2 2 Pete Freitag, Session Loss and Session Fixation in ColdFusion, March 01, 2013
  54. HTTPOnly Cookies · These cookies are only available over HTTP

    connections, NOT Javascript
  55. HTTPOnly Cookies Set once for the entire application // CF

    10+ & Lucee 4.5+ this.sessioncookie.httponly = true; # Java JVM args (CF 9.0.1+) -Dcoldfusion.sessioncookie.httponly=true
  56. HTTPOnly Cookies OR set them manually <!-- CF 9+ &

    Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly" />
  57. SSL Enable the secure flag on your cookies // CF

    10+ & Lucee 4.5+ this.sessioncookie.secure = true; <!-- CF 9+ & Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" secure="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly;secure" />
  58. Turning off client management If you are setting your own

    cookies, remember to turn off client management // Application.cfc component { this.clientmanagement = false; }
  59. Questions !

  60. Other talks at dev.Objective() Live Testing a Legacy App Thursday

    1:45 PM to 2:45 PM
  61. Thank You!! elpete @_elpete ! dev.elpete.com