In response to Jason Dean’s recent login security post, I got to thinking about how to start a completely fresh ColdFusion session. Not just clean one out, but to get a whole new session. This was the best that I could come up with in the 10 minutes of thought I put into it. Anyone care to show me up and point toward something more elegant?
<!--- Depending on your setup, maybe HTTP_HOST works better here, but I don't trust it. ---> <cfset ServerName=LCase(CGI.SERVER_NAME)> <cfset structClear(Session)> <cfloop condition="listLen(ServerName,'.') gte 2"> <cfloop list="CFID,CFTOKEN,CFMAGIC,SESSIONID,JSESSIONID" index="CookieName"> <cfcookie expires="NOW" name="#CookieName#" domain=".#ServerName#"> <cfcookie expires="NOW" name="#CookieName#" domain="#ServerName#"> <cfcookie expires="NOW" name="#CookieName#"> </cfloop> <cfset ServerName=listRest(ServerName,".")> </cfloop>
You’d use that code as an interstitial page, hitting it and then bouncing to someplace else. Wherever you land, you should land with a completely fresh session. Make this the target of your login scripts, and you should prevent the sort of attack that Jason was blogging about. If you want to be extra paranoid, use this as your logout page as well as your login page.
You’d proliferate CF sessions like mad, but you’d armor yourself against a couple different classes of attack.