Reputation: 91
CFToken / CFID in Coldfusion 11
CF11 is prepending the values of these cookies with what looks to be a hash of the application name.
In CF9, the value of CFID for me is along the lines of: 2219 In CF11, this changes to be Z3ir0kan93jawdd3kz38onobced8tfgn2kc3fy8i0w884gqffsn-2219
I need to be able to run a CF9 and CF11 server in the same pool (while we do the upgrade), but the differences in the cookie values mean that if you log in on a CF9 server and navigate to a CF11 server, you'll get logged out.
Is there any way to get CF11 to use the CF9 format for these cookie values?
Upvotes: 9
Views: 2562
Answers (1)
Reputation: 14859
The value of CFID/CFTOKEN was changed from a simple numeric value to a string+numeric for security reasons.
http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html
Reason
In its default configuration, Adobe ColdFusion uses a pair of cookies named CF_ID and CF_TOKEN to manage user sessions. These two cookies are only ever used in tandem with each other--they are never used separately.
Even though CF_ID is sequential, CF_TOKEN is random and is unpredictable. Since it is the combination of both cookies that is used, the resulting combination is also unpredictable.
Solution
To eliminate this error in your compliance testing, you can configure ColdFusion to use J2EE session identifiers instead of CF_ID and CF_TOKEN.
Note: This solution does not make your ColdFusion server any more or less secure.
So it's not in your best interest to have CF 11 use the old-style numeric CF_ID value.
If you're going to have CF 9 and CF 11 in the same pool, where requests can randomly bounce from one to the other, you'll run into a number of other problems. I spent the better part of a year converting from CF 8 to CF 9 about two years ago (yes, yes, I know).
For instance, if you happen to use any CF UI components, you'll have problems when a request that starts on CF X rendered HTML & JS goes to CF Y, which has updated JS functions for that feature. We ripped them all out and converted to jQuery/jQuery UI
We also ran into something as simple as this:
this.name = HASH(getDirectoryFromPath(getCurrentTemplatePath()));
getDirectoryFromPath() returned an upper-case value in 8 and lower-case value in 9 (or vice-versa). We had to update it to this:
this.name = HASH(Lcase(getDirectoryFromPath(getCurrentTemplatePath())));
in order to have them use the same application name and, therefore, session.
You'll be better off running CF 11 in its own pool and running a full regression test against it to figure out what needs to be updated.
Upvotes: 2
Related Questions
- Coldfusion 9 cfscript cfcookie and cookie (script style)
- ColdFusion: CFID and CFToken change on each page request
- Coldfusion cookie issue
- ColdFusion 10 CFCookie not honoring domain attribute
- Coldfusion 10 cookie data missing
- ColdFusion 10 Cookie Issue: Unable to set a Cookie
- Coldfusion cookie login
- coldfusion - managing cookies and log-in issue
- How to overwrite CFID/CFTOKEN in ColdFusion 10?
- Session Cookies and Application.cfm