Search code examples
variablessessionjakarta-eecoldfusion

Making Session Tokens More Random: ColdFusion 2018

I've recently been tasked with mitigating issues from a ColdFusion 2018 Server vulnerability report. In particular, this one...

Attack Type: SessionStrength Session tokens that exhibit low entropy ("randomness") are often susceptible to prediction attacks. Insecure tokens can be due to inadequate pseudo-random number generator, time-based values, static values, or values based on user attributes (username or user ID)...Session tokens should be created with a strong random number generator and gathered from a large pool of numbers. For example, an operating system's rand() function can usually be sufficient if it can produce 32-bit values that are a statistically uniform distribution.

And the recommendation is:

Make sure that the Token values are at least 32 bits in size, especially for applications with large numbers of concurrent users and high amounts of daily page requests.....

My question is, how can I increase the randomness? The server uses J2EE session variables. Is there a way, perhaps on the Java side, that I can improve the randomness? Thank you.

Solution

  • Do you have either of these boxes checked in your ColdFusion Administrator?

    enter image description here

    Without this box checked, ColdFusion will not use a decent value for the CFToken. Instead it will use an incrementing 8-digit value. It's pretty poor default behavior.

    Even if you do have it checked, it is possible that the incrementing behavior of the CFID (that is pair with the CFToken to determine a session) will raise a false flag with your vulnerability scanner. This is where the next checkbox can help.

    enter image description here

    With this box checked, you are telling ColdFusion to use a JEE session variable instead of the CF/CFToken combination. This will see a single session token that uses a good token. That should satisfy your vulnerability scanner.

    I don't recall right off, if when the JEE checkmark is checked if it still writes the CFIF/CFToken cookies (despite the fact that it does not use them). If so, then your scanner may still flag it. If that happens, I believe you can use the following code (in your Application.cfc) to tell ColdFusion not to create those cookies.

    this.setClientCookies = false;