CFML Sessions For Dummies
-
Upload
coldfusionconference -
Category
Technology
-
view
302 -
download
0
Transcript of CFML Sessions For Dummies
What this talk isn't!
· Live coding· Outlining best practices
· For people who use sessions and either already know or don't care that much how they work
What this talk is!
· Theory — definitions and examples· Understanding the what and the why rather
than the when would I use this· For people who use sessions and don't know
how they work
Other Sessions Right Now
· PostCSS: A Dumb Name For An Awesome ThingRoom 238
· SQL Server Tips For Everyday ProgrammersRoom 334
· Crash Course In Ionic & AngularJSAuditorium
What is a session?· Data stored in memory on the server
· Client variables used to access the data on the server
Data stored in memory on the server· Data is lost when not accessed within a time-out
period· Data is available only to a single client and
application· Any CFML data type can be stored
Data stored in memory on the serverData is accessed by using a combination of a CFID
and a CFTOKEN· CFID: A sequential client identifier
· CFTOKEN: A random client security token
And any data you add yourself!session.simpleValue = 5;
session.complexValue = [ { id = 1, permissions = [/* ... */] }];
session.user = new User(/* ... */);
Other Facts
· CFID and CFTOKEN are reused by the client when starting new sessions (if possible)
· Someone with your CFID and CFTOKEN could access your session
· For this, reason it's bad to pass it in the query string. Use Client Variables instead
Client variables used to access the data on the serverIf you didn't use cookies, you'd have to pass
these values in the url or form every time
Which makes them very easy to steal and hijack a session
Enabling Sessions in your CFML Applicationscomponent { // Required this.name = 'MyAwesomeApp'; this.sessionManagement = true;
// Optional: default timeout is 20 minutes this.sessionTimeout = createTimeSpan(0, 0, 45, 0);}
Reading and Writing to the Session// write values to the sessionsession.favorites = [1, 45, 67, 109];
// read values from the sessionlocal.favorites = session.favorites;
// though, it is smart to check that// the value exists first.if (structKeyExists(session, 'favorites')) { local.favorites = session.favorites;} else { local.favorites = [];}
Session Locksfunction getProductCount() { lock scope="session" type="read" timeout="2" throwontimeout="true" { return session.items; }}
function incrementProductCount(count) { lock scope="session" type="exclusive" timeout="2" throwontimeout="true" { session.items += count; }}
SessionRotate()Available in ACF10+ and Lucee 4.5+
1. Invalidates the current session2. Creates a new session
3. Migrates the data from the old to the new4. Overwrites the old cookies with the new
"Best Practices"· Keep your session scope small
· Only store lookup values in your session scope (like userId)
· Especially avoid storing values shared between users in the session scope
· SessionRotate() a!er a successful login11 See Learn CF in a Week for more session security tips
Session Lifecycle Methodsfunction onSessionStart() { // set defaults for session values // you want to make sure are available session.sessionStartedAt = Now();}
function onSessionEnd(applicationScope, sessionScope) { if (sessionScope.isShopping) { // clean up any long standing objects // Log any important messages applicationScope.shoppingInsightLogger.info( 'User timed out while shopping at #Now()#' ); }}
J2EE Sessions· Uses the servlet (e.g. Tomcat) for session
management· Share session information between ColdFusion
and other servlet applications
J2EE Sessions· Does not reuse the session identifiers
· Generates a new identifier for each session, reducing the impact of the the! of the token
· Can terminate the session manuallygetPageContext().getSession().invalidate();
Server ClustersIf your session information is being stored in the
memory of a server,then only that one server can handle all your
requests.In other words, you can't scale.
Do it yourself !function onRequestStart() { var urlToken = 'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); StructAppend( session, sessionClient.get(id = urlToken, deserialize = true), true );}
function onRequestEnd() { var urlToken = 'CFID=' & cookie.cfid & '&CFTOKEN=' & cookie.cftoken; var sessionClient = new cfcouchbase.CouchbaseClient({ bucketName = 'sessions' }); sessionClient.set(id = urlToken, session );}
First, Session FixationAn attacker provides the session identifiers in
order to try and know them<a href="http://a-legitimate-site.com/?CFID=b1c8-30f3469ba7f7&CFTOKEN=2"> Click here for free stuff!</a>
How this can cause Session LossMore than one CFML application on
the same domain2
2 Pete Freitag, Session Loss and Session Fixation in ColdFusion, March 01, 2013
HTTPOnly CookiesSet once for the entire application
// CF 10+ & Lucee 4.5+this.sessioncookie.httponly = true;
# Java JVM args (CF 9.0.1+)-Dcoldfusion.sessioncookie.httponly=true
HTTPOnly CookiesOR set them manually
<!-- CF 9+ & Lucee 4.5+ --><cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" />
<!-- CF 8 and lower --><cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly" />
SSLEnable the secure flag on your cookies
// CF 10+ & Lucee 4.5+this.sessioncookie.secure = true;
<!-- CF 9+ & Lucee 4.5+ --><cfcookie name="CFID" value="#sessoin.cfid#" httponly="true" secure="true" />
<!-- CF 8 and lower --><cfheader name="Set-Cookie" value="CFID=#session.cfid#;path=/;HTTPOnly;secure" />
Turning off client managementIf you are setting your own cookies,
remember to turn off client management// Application.cfccomponent { this.clientmanagement = false;}
Thank You!! elpete
@_elpete! dev.elpete.com