Databases
StackOverflow2013
Postsdbo
POWhat are current CF9.02 Session Cookie Management Best Practices?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWhat are current CF9.02 Session Cookie Management Best Practices?
    text
    copied!<p>Common "best practice" for ColdFusion cookie session cookie management has been to implement something like this:</p> <pre><code>&lt;cfset this.setClientCookies = false /&gt; &lt;cfif NOT IsDefined( "cookie.cfid" ) OR NOT IsDefined( "cookie.cftoken" )&gt; &lt;cfcookie name="cfid" value="#session.cfid#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest"&gt; &lt;cfcookie name="cftoken" value="#session.cftoken#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest"&gt; &lt;/cfif&gt; </code></pre> <p>OR </p> <pre><code>&lt;cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")&gt; &lt;cfcookie name="CFID" value="#Cookie.CFID#"&gt; &lt;cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#"&gt; &lt;/cfif&gt; </code></pre> <p>depending on who you talk to.</p> <p>Adobe then released <a href="http://www.adobe.com/support/security/bulletins/apsb11-04.html" rel="noreferrer">http://www.adobe.com/support/security/bulletins/apsb11-04.html</a> and later a fix for this original fix, which is talked about here: <a href="http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html" rel="noreferrer">http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html</a> </p> <p>The original fix causes a lot of issues described here: <a href="http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour" rel="noreferrer">http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour</a> This fix (and a lot of other similar fixes on the web) work by modifying the cfcookie code above.</p> <p>It's a year later and what I would like to know if what are people currently doing for CFID/CFToken management when running CF9.02 (ie, with the session fixation fixes applied.)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload