tracker issue : CF-3535992

select a category, or use search below
(searches all categories and all time range)
Title:

Session Cookies Being Overwritten Browsing From SSL to Non SSL

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/ThirdParty

Reporter/Name(from Bugbase): Dave Cordes / Dave Cordes (Dave Cordes)

Created: 04/04/2013

Components: Security

Versions: 10.0

Failure Type: Data Loss

Found In Build/Fixed In Build: Final /

Priority/Frequency: Critical / All users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 1

Problem Description:

Please note I am using J2EE session variables so keep that in mind.

I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.

For example:

Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".

Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".

Here's the problem:

Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.

Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.

Steps to Reproduce:

1. Clear your cookies.
2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.

Actual Result:

Browsing from an SSL to a non SSL web page results in the session cookie being overwritten.

Expected Result:

Browsing from an SSL to a non SSL web page should NOT overwrite the session cookie. This was how it worked in ColdFusion 9.

Any Workarounds:

None that I know of at the moment.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3535992

External Customer Info:
External Company:  
External Customer Name: davecordes
External Customer Email:  
External Test Config: My Hardware and Environment details:



Server Product - ColdFusion

Version - 10,0,8,284032

Tomcat Version - 7.0.23.0

Edition - Standard 

Operating System - Windows Server 2008 R2  

OS Version - 6.1  

Update Level - /D:/ColdFusion10/cfusion/lib/updates/chf10000008.jar  

Adobe Driver Version - 4.1 (Build 0001)

Attachments:

Comments:

I have tested different solutions for nearly 20 hours and since you can't explicitly set the JSESSIONID cookie, all have failed.
Comment by External U.
15828 | April 04, 2013 09:47:34 AM GMT
Verified. The cookie is just straight gone, GONE.
Vote by External U.
15836 | April 04, 2013 10:10:55 AM GMT
When sites are partially on SSL and cookie is set first for SSL site, Browser will not send the cookie back to a non SSL site. In case it is the requirement, the cookie should be set a non Secure. For Tomcat it can be changed in web.xml by setting "secure=false" like this - <session-config> <session-timeout>60</session-timeout> <cookie-config> <http-only>true</http-only> <secure>false</secure> </cookie-config> </session-config> If any other App Server is involved, similar solution will be there. (Comment added from ex-user id:shilpik)
Comment by Adobe D.
15829 | April 05, 2013 12:40:42 AM GMT
Thanks for your reply. Which web.xml do I change? <ColdFusion_Home>\runtime\conf\web.xml or <ColdFusion_Home>\wwwroot\WEB-INF\web.xml
Comment by External U.
15830 | April 05, 2013 09:28:47 AM GMT
I added your changes to the web.xml located here: <ColdFusion_Home>\runtime\conf\web.xml Then I restarted ColdFusion and visited an https Web page. The cookie being sent says send for "Encrypted connections only". I was expecting it to be send for "Any type of connection". So that didn't work unless I messed something up.
Comment by External U.
15831 | April 05, 2013 09:41:21 AM GMT
Hi Shilpi, I helped Dave with this issue, and coming up with a workaround posted here: http://www.petefreitag.com/item/817.cfm It looks like tomcat always sets the secure flag on the JSESSIONID if the request is secure (see my blog entry for a link to the code in tomcat). My opinion is that this is not a bug but a security feature.
Comment by External U.
15832 | April 05, 2013 11:21:52 AM GMT
I think it's fine to call it a security feature as long as there is a way to turn it off. Since there is no way to turn it off, it feels like a bug to me.
Comment by External U.
15833 | April 05, 2013 05:02:30 PM GMT
Tomcat always sets the secure flag on the JSESSIONID if the request is secure. As Tomcat does not provide any way to turn it off, we cant do anything about it.
Comment by Rupesh K.
15834 | January 05, 2015 08:14:36 AM GMT
Rupesh, just so you know, there is a workaround. Pete helped me with it. http://www.petefreitag.com/item/817.cfm
Comment by External U.
15835 | January 05, 2015 09:26:39 AM GMT