What are current CF9.02 Session Cookie Management Best Practices?

Question

Common "best practice" for ColdFusion cookie session cookie management has been to implement something like this:

<cfset this.setClientCookies = false />
<cfif NOT IsDefined( "cookie.cfid" ) OR NOT IsDefined( "cookie.cftoken" )>
    <cfcookie name="cfid" value="#session.cfid#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
    <cfcookie name="cftoken" value="#session.cftoken#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
</cfif>

OR

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfcookie name="CFID" value="#Cookie.CFID#">
    <cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#">
</cfif>

depending on who you talk to.

Adobe then released http://www.adobe.com/support/security/bulletins/apsb11-04.html and later a fix for this original fix, which is talked about here: http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html

The original fix causes a lot of issues described here: http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour This fix (and a lot of other similar fixes on the web) work by modifying the cfcookie code above.

It's a year later and what I would like to know if what are people currently doing for CFID/CFToken management when running CF9.02 (ie, with the session fixation fixes applied.)

Answer 1

Um, not using CFID/CFToken. I have not used those client variables for years and instead use ColdFusion session management. It is just too risky to trust those from the client (in my opinion).

The Adobe docs actually have a pretty good write up about managing client state: Managing the client state

What is your case for still needing to use CFID/CFToken?

An excerpt from that Adobe article:

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.