I am looking into a session hijacking problem, where the session that was hijacked had an empty cfid and cftoken, and was surprised by the following scenario I tested.
User 1: log into the Web site. User 1: using Firefox, examine the cookies and modify the cfid and cftoken values to be blank When I refresh the page, I am still logged into the site. Back in the CF5 and possibly CFMX6 days, CF would have thrown an error since an empty session would not be found when CF tried to obtain the values for the blank identifier. An alternative behavior would be to recognize that the session wasn't valid and kick the person back to an error page or a login page. However, when I tried this in CF8 and CFMX7, the session remains valid and seems to get remapped to a blank cfid and blank token. The user can navigate through the entire site with a blank cfid and token for the entire session. User 2: If I use another browser and go to /page.cfm?cfid=&cftoken=, then I am allowed to bypass the login page and I effectively hijack that other user's session. I seem to remember that ColdFusion MX 7 addressed a problem with using StructClear(session). My hunch is that this unexpected behavior might relate to that change. To be clear, I am well aware how session hijacking works. The surprise to me is that an empty cfid and cftoken is considered to map to a valid session and I am trying to understand, from a technical standpoint, why an empty token is working. I have reproduced this behavior in CFMX7 and CF8. Thanks, Mike Chabot ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289445 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
