Preventing Session Hijacking |
Session hijacking is a valid concern for all web developers. One of the easiest ways to hijack a session is by reading cookies and impersonating a user at one of the popular web sites. In Coldfusion, you can secure your cookies like so: <!---<cfif IsDefined("Cookie.cfID") AND IsDefined("Cookie.cfToken")> <cfset Variables.cfID_local = Cookie.cfID>
<cfset Variables.cfToken_local = Cookie.cfToken>
<cfcookie name="cfID" value="#Variables.cfID_local#" secure="Yes">
<cfcookie name="cfToken" value="#Variables.cfToken_local#" secure="Yes">
</cfif>--->
Also, you need to set the ALL of your cookies (not just CFID and CFTOKEN) to be secure. Basically just just call <cfcookie> tag for each cookie and make sure to set the SECURE attribute to yes. To secure the JSESSIONID (which is important), make sure to explicitly set it with a <cfcookie> tag and set the value to be SESSION.SESSIONID (since the JSESSIONID value is the same as SESSION.SESSIONID). |
Archives