Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

CFML Sessions for Dummies

CFML Sessions for Dummies

A introduction to CFML sessions (with a bit of J2EE sessions sprinkled in).

Eric Peterson

June 16, 2016
Tweet

More Decks by Eric Peterson

Other Decks in Programming

Transcript

  1. What this talk isn't ! · Live coding · Outlining

    best practices · For people who use sessions and either already know or don't care that much how they work
  2. What this talk is ! · Theory — definitions and

    examples · Understanding the what and the why rather than the when would I use this · For people who use sessions and don't know how they work
  3. Other Sessions Right Now · PostCSS: A Dumb Name For

    An Awesome Thing Room 238 · SQL Server Tips For Everyday Programmers Room 334 · Crash Course In Ionic & AngularJS Auditorium
  4. What is a session? · Data stored in memory on

    the server · Client variables used to access the data on the server
  5. Data stored in memory on the server · Data is

    lost when not accessed within a time-out period · Data is available only to a single client and application · Any CFML data type can be stored
  6. Data stored in memory on the server Data is accessed

    by using a combination of a CFID and a CFTOKEN · CFID: A sequential client identifier · CFTOKEN: A random client security token
  7. And any data you add yourself! session.simpleValue = 5; session.complexValue

    = [ { id = 1, permissions = [/* ... */] } ]; session.user = new User(/* ... */);
  8. Other Facts · CFID and CFTOKEN are reused by the

    client when starting new sessions (if possible) · Someone with your CFID and CFTOKEN could access your session · For this, reason it's bad to pass it in the query string. Use Client Variables instead
  9. Client variables used to access the data on the server

    If you didn't use cookies, you'd have to pass these values in the url or form every time Which makes them very easy to steal and hijack a session
  10. Enabling Sessions in your CFML Applications component { // Required

    this.name = 'MyAwesomeApp'; this.sessionManagement = true; // Optional: default timeout is 20 minutes this.sessionTimeout = createTimeSpan(0, 0, 45, 0); }
  11. Reading and Writing to the Session // write values to

    the session session.favorites = [1, 45, 67, 109]; // read values from the session local.favorites = session.favorites; // though, it is smart to check that // the value exists first. if (structKeyExists(session, 'favorites')) { local.favorites = session.favorites; } else { local.favorites = []; }
  12. Session Locks function getProductCount() { lock scope="session" type="read" timeout="2" throwontimeout="true"

    { return session.items; } } function incrementProductCount(count) { lock scope="session" type="exclusive" timeout="2" throwontimeout="true" { session.items += count; } }
  13. SessionRotate() Available in ACF10+ and Lucee 4.5+ 1. Invalidates the

    current session 2. Creates a new session 3. Migrates the data from the old to the new 4. Overwrites the old cookies with the new
  14. "Best Practices" · Keep your session scope small · Only

    store lookup values in your session scope (like userId) · Especially avoid storing values shared between users in the session scope · SessionRotate() a!er a successful login1 1 See Learn CF in a Week for more session security tips
  15. What does not end a session? · Logging out ·

    Closing the browser · structClear(session)
  16. Session Lifecycle Methods function onSessionStart() { // set defaults for

    session values // you want to make sure are available session.sessionStartedAt = Now(); } function onSessionEnd(applicationScope, sessionScope) { if (sessionScope.isShopping) { // clean up any long standing objects // Log any important messages applicationScope.shoppingInsightLogger.info( 'User timed out while shopping at #Now()#' ); } }
  17. J2EE Sessions · Uses the servlet (e.g. Tomcat) for session

    management · Share session information between ColdFusion and other servlet applications
  18. J2EE Sessions · Does not reuse the session identifiers ·

    Generates a new identifier for each session, reducing the impact of the the! of the token · Can terminate the session manually getPageContext().getSession().invalidate();
  19. Server Clusters If your session information is being stored in

    the memory of a server, then only that one server can handle all your requests. In other words, you can't scale.
  20. What are our options? · Don't use the session scope

    ! · Store the session scope somewhere else "
  21. Do it yourself ! function onRequestStart() { var urlToken =

    'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); StructAppend( session, sessionClient.get(id = urlToken, deserialize = true), true ); } function onRequestEnd() { var urlToken = 'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); sessionClient.set(id = urlToken, session ); }
  22. First, Session Fixation An attacker provides the session identifiers in

    order to try and know them <a href="http://a-legitimate-site.com/?CFID=b1c8-30f3469ba7f7&CFTOKEN=2"> Click here for free stuff! </a>
  23. How this can cause Session Loss More than one CFML

    application on the same domain2 2 Pete Freitag, Session Loss and Session Fixation in ColdFusion, March 01, 2013
  24. HTTPOnly Cookies Set once for the entire application // CF

    10+ & Lucee 4.5+ this.sessioncookie.httponly = true; # Java JVM args (CF 9.0.1+) -Dcoldfusion.sessioncookie.httponly=true
  25. HTTPOnly Cookies OR set them manually <!-- CF 9+ &

    Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly" />
  26. SSL Enable the secure flag on your cookies // CF

    10+ & Lucee 4.5+ this.sessioncookie.secure = true; <!-- CF 9+ & Lucee 4.5+ --> <cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" secure="true" /> <!-- CF 8 and lower --> <cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly;secure" />
  27. Turning off client management If you are setting your own

    cookies, remember to turn off client management // Application.cfc component { this.clientmanagement = false; }