Longer Session Tokens

Posted At : 28 July 2008 13:46 | Posted By : Glyn Jackson
Related Categories: Security, ColdFusion

Like most of my web applications I use sessions at some point to store information such as login information. I do this by utilizing Session Tokens so that the server can identity who is who. However if you have ever looked at the default session id you may have noticed it is relative easy to guess. If your using the Coldfusion Default Session Management it's made up of the Application name, CFID and CFTOKEN. This creates a unique session ID apart from the app name its only numbers NOT letters or any special characters.

There is a very simple way to make the session ID harder to guess and that is to make use of the Universally Unique Identifier (UUID) for CFTOKENS. UUID creates a 35-character string representation of a unique 128-bit integer. Quote: http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00000436.htm

To turn-on UUID go to the ColdFusion Administrator and under setting click "Use UUID for cftoken"

Simple, harder to guess session IDs.

This is just one way to help secure your session ids and by no means the only, but its there to use in CF Admin and not many change it from the default!

Comments Comments (2) | Print Print | Send Send | 1155 Views | Bookmark and Share

Related Blog Entries

TweetBacks
Comments
[Add Comment] [Subscribe to Comments]
Steve's Gravatar You could also use J2EE servlet session management, thats more secure right?
# Posted By Steve | 13/08/08 22:45
Glyn's Gravatar As stated, its by no means the only way. ColdFusion Server can use either the default ColdFusion session management including UUID or J2EE servlet session management. The J2EE session scope is serializable allowing you to share the sessionbetween ColdFusion pages JSP and Java servlets which is an advantage over ColdFusion default.

My post was more in concern of how guessable the session id is. In comparison to UUID, personally I think UUID is more secure using both letters and numbers for the ID.

CF session = (ApplicationName + CFID + CFTOKEN) e.g myApp_4113_41342
J2EE session = (jsessionid ) e.g 20102916601011786701851
UUID session = (ApplicationName + CFID + CFTOKEN) e.g 5dbd2148f73730cf-520DAB22-4762-3D9E-F63219AD42A329EC
# Posted By Glyn | 13/08/08 23:38
[Add Comment]
 

About Me

Glyn Jackson, 28 years old, MD and senior developer of a development firm based in Staffordshire called Newebia Ltd. Academic background in BSc Information System & Internet Commerce. Online marketing expert (EE Ranked) and .NET developer. Has been developing with ColdFusion for 5 years and loves it. "I am not a veteran in ColdFusion but I do work on challenging projects which help me learn more about ColdFusion and if I can contribute to the community in anyway then, it's all good!"

Recommends

  • ColdFusion