Re: [OpenBD] Secure Session Cookies

Wed, 13 Apr 2016 08:24:17 -0700 

John (others)

We ran into that years ago. It’s technically a false positive since it uses 
both values for
the identifier and the other value is not a serial, one up. However we couldn’t 
get any
of the PCI scanners to adjust or seem to care.

So we modified the code at the Application.cfc

we set the application vars

        <cfset THIS.SessionManagement = true />
        <cfset THIS.ClientManagement = false />
        <cfset THIS.SetClientCookies = false />

Please note we specifically tell CF to not set client cookies. This eliminates 
the
two cookies for session management, thus eliminating your false positive PCI 
scan
issue.

It does introduce a different problem - we need cookies to manage sessions.

So, within the “OnRequestEnd” function we have the following…

        <!--- get the CFID and CFSESSION out of the urltoken —>
        <cfset LOCAL.ID = ListGetAt(ListGetAt(Session.UrlToken, 1, "&"), 2, 
"=") />
        <cfset LOCAL.TOKEN = ListGetAt(ListGetAt(Session.UrlToken, 2, "&"), 2, 
"=") />
        <!--- now encrypt them for storage in one(1) cookie —>
        <cfset LOCAL.EncryptedID = Encrypt("#LOCAL.ID#,#LOCAL.TOKEN#", 
“jduwJsyHyw82kksuGshw", "AES", "HEX") />
        <!--- store the single cookie —>
        <cfcookie name="ID" value="#LOCAL.EncryptedID#”>

This combines the token and id values and then encrypts them into a single 
cookie.

Then either in the base of the Application.cfc or you could also put it in the 
“OnRequestStart"
function - grab and decrypt the cookie.

        <cfif StructKeyExists( COOKIE, "ID" )>
                <cfset THIS.IdString = Decrypt(COOKIE.ID, 
"jduwJsyHyw82kksuGshw", "AES", "HEX") />
                <!--- set the cookie scope variables —>
                <cfset url.CFID = ListFirst( THIS.IdString ) />
                <cfset url.CFTOKEN = ListRest( THIS.IdString ) />
        </cfif>

This works exceptionally well for us and our needs while eliminating the PCI 
false positive.
Now my only caveat is we don’t use MongoDB for session… so I’m not sure if this 
will upset
something on that end or not.

Hope it helps some.

Thanks,
Alan Cole
(PGP Key ID: 0x82D8E0C7)

-- 
-- 
online documentation: http://openbd.org/manual/
 http://groups.google.com/group/openbd?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Open 
BlueDragon" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to