Mike Chabot wrote: > I am looking into a session hijacking problem, where the session that > was hijacked had an empty cfid and cftoken, and was surprised by the > following scenario I tested. > > User 1: log into the Web site. > User 1: using Firefox, examine the cookies and modify the cfid and > cftoken values to be blank > > When I refresh the page, I am still logged into the site.
I tried it with setting the jsessionid to be blank (I always use J2EE sessions) on CF 7 and I was logged out. > To be clear, I am well aware how session hijacking works. The surprise > to me is that an empty cfid and cftoken is considered to map to a > valid session and I am trying to understand, from a technical > standpoint, why an empty token is working. I have reproduced this > behavior in CFMX7 and CF8. I have my doubts about your use of Firefox to test this behaviour. I have attached a small batchfile that uses wget to send requests to the server with total control over the headers that are send. You need to fill out the URL of your web application, the file where wget must store its cookies, the username and the password. You probably need to adjust the URL of your login page as well. Then start the script, edit your cookie file when it tells you to and check the results. Jochem @echo off setlocal set URL=%1 set cookieFile=%2 set username=%3 set password=%4 wget --quiet -O first.html --save-cookies %cookieFile% --keep-session-cookies "http://%URL%/"; wget --quiet -O loginResult.html --load-cookies %cookieFile% --save-cookies %cookieFile% --keep-session-cookies "http://%URL%/?event=login&Username=%username%&password=%password%"; wget --quiet -O beforeCookieChange.html --load-cookies %cookieFile% --save-cookies %cookieFile% --keep-session-cookies "http://%URL%/"; echo Modify your cookie file %cookieFile% pause wget --quiet -O afterCookieChange.html --load-cookies %cookieFile% --save-cookies %cookieFile% --keep-session-cookies "http://%URL%/"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289453 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
