Perhaps I should have thought a little longer ...
My real question probably should be:
Is there evidence that CFTOKEN is predictable, ie not very random?
--- Dave DeVol <[EMAIL PROTECTED]> wrote:
>
> I use client sessions too and do hijack security by setting another
> cookie
> called cfunique. I then add this to the client session. Something
> like:
>
> <!---when they log in--->
> <cfif not isdefined("cookie.cfunique")>
> <cfcookie name="cfunique" value="#createUUID()#"
> domain=".yourDomain.com">
> </cfif>
>
> <!---app_globals--->
> <cfif isdefined("client.cfunique")>
> <cfparam default="0" name="cookie.cfunique">
> <cfif comparenocase("#cookie.cfunique#", "#client.cfunique#")>
> <cfinclude template = "act_bootEm.cfm">
> </cfif>
> </cfif>
>
> ----- Original Message -----
> From: "Luke Bartholomew" <[EMAIL PROTECTED]>
> To: "Fusebox" <[EMAIL PROTECTED]>
> Sent: Tuesday, July 31, 2001 10:36 AM
> Subject: client variable hijack
>
>
> > to anyone who can help,
> >
> > I have recently launched an rather complex application developed
> using the
> > XFB specification and have a serious problem with the security. The
> security
> > system is based upon the XFB outlined by Hal Helms, using the
> user_groups
> > database table to allow administrators to be set up. The entire
> system
> only
> > relies upon client variables and non-persistent cookies to maintain
> state
> > management - no session, application or server variables are used.
> The
> > cfapplication tag is placed at the top of each index.cfm file as
> below:
> >
> > <cfif NOT IsDefined( 'application.applicationName' )>
> > <cfapplication name="appname" clientmanagement="Yes">
> > </cfif>
> >
> > The index.cfm file follows the XFB specification - and cfinclude's
> the
> > app_globals.cfm file.
> >
> > Inside the app_globals.cfm file is the following script to kill
> session
> > cookies if browser is closed:
> >
> > <cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
> > <cfset cfid_local = Cookie.CFID>
> > <cfset cftoken_local = Cookie.CFTOKEN>
> > <cfcookie name="CFID" value="#cfid_local#">
> > <cfcookie name="CFTOKEN" value="#cftoken_local#">
> > </cfif>
> >
> > And the client.urltoken is set to the request scope:
> >
> > <cfscript>
> > // set urltoken
> > request.urltoken=client.urltoken;
> > </cfscript>
> >
> > Then the request.urltoken variable is passed at every request to
> the
> server
> > - either on the end of the url string or in a form (I have looked
> into
> this
> > on the allaire website which suggests that this is not a very
> secure way
> of
> > state management).
> >
> > The problem is that once I log into the application occassionally I
> inherit
> > someone elses client variables which is obviously very undesirable.
> >
> > The login script is nothing unusual and basically validates
> information
> > posted from a form against information held in the database - and
> then
> sets
> > the necessary client variables for email, cliend id and last login.
> There
> is
> > also a login script which runs through Flash, but is it basically
> the same
> > as the other.
> >
> > Thanks
> >
> > Luke B.
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
