tracker issue : CF-3640257

select a category, or use search below
(searches all categories and all time range)
Title:

SessionRotate and SessionInvalidate Enhancements

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/

Reporter/Name(from Bugbase): Tom McKeon / Tom McKeon (Tom McKeon)

Created: 09/26/2013

Components: Security

Versions: 10.0

Failure Type: Enhancement Request

Found In Build/Fixed In Build: Final /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Platforms All

Vote Count: 3

The new CF10 methods SessionRotate and SessionInvalidate only work with CFID/CFToken.  The methods don't work on the underlying J2EE session when using J2EE session variables as this might impact other applications which share the same J2EE session.  However, often there are no other applications sharing the same J2EE session.  Not being able to use the new methods in these scenarios limits CF's ability to address session fixation issues.  

In the next version of CF please add the ability for SessionRotate and SessionInvalidate methods to act on the underlying J2EE session.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3640257

External Customer Info:
External Company:  
External Customer Name: Tom McKeon
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

Hi Rupesh , Can you review this enhancement request ? (Comment added from ex-user id:yrr)
Comment by Adobe D.
14444 | October 08, 2013 12:18:04 AM GMT
The E/R makes sense. CF hamstringing itself simply because other fictional apps *might* cohabitate seems a bit far-fetched as far as the normal sequence of events goes. Deal with that eventuality if it occurs. -- Adam
Vote by External U.
14451 | October 08, 2013 09:47:36 AM GMT
+1 for this ticket and what Adam said. Could we please at least have a per-App setting to enable SessionInvalidate()/SessionRotate() for J2EE sessions? (IMO, it should be enabled by default) Thanks!, -Aaron
Vote by External U.
14452 | May 16, 2015 06:21:17 PM GMT
I see this was filed for CF10 and not implemented in CF11. Would you please consider for CF12? Thanks!, -Aaron
Comment by External U.
14445 | May 16, 2015 06:22:27 PM GMT
Doing it for J2EE sessions will have impacts on all applications and so we should not be doing this.
Comment by Vamseekrishna N.
14446 | August 18, 2015 11:47:14 PM GMT
Vamseekrishna Nanneboina - can you elaborate how enabling these important security features for J2EE sessions "will have impacts on all applications"?
Comment by External U.
14447 | August 20, 2015 01:01:58 AM GMT
Hi Yashas and Vamseekrishna, Session Variables doc (https://wikidocs.adobe.com/wiki/display/coldfusionen/Configuring+and+using+session+variables) says: "consider using J2EE session management in any of the following cases: - You want to maximize session security" SessionRotate doc (https://wikidocs.adobe.com/wiki/display/coldfusionen/SessionRotate) says: "It prevents session attacks" SessionRotate/SessionInvalidate should work w/ J2EE sessions so we can maximize security AND prevent session attacks. Can you please reconsider? Thanks!, -Aaron
Comment by External U.
14448 | August 20, 2015 01:19:07 AM GMT
How about a per-App setting to enable SessionInvalidate()/SessionRotate() for J2EE session management?
Comment by External U.
14449 | August 20, 2015 01:22:22 AM GMT
*bump*
Comment by External U.
14450 | September 04, 2015 03:32:01 AM GMT
Please allow, function calls in CF should operate regardless of type of session management in place. +1
Vote by External U.
14453 | May 25, 2016 12:27:05 PM GMT