当前的 CF9.02 会话 Cookie 管理最佳实践是什么? [英] What are current CF9.02 Session Cookie Management Best Practices?
问题描述
ColdFusion cookie 会话 cookie 管理的常见最佳实践"是实现如下内容:
Common "best practice" for ColdFusion cookie session cookie management has been to implement something like this:
<cfset this.setClientCookies = false />
<cfif NOT IsDefined( "cookie.cfid" ) OR NOT IsDefined( "cookie.cftoken" )>
<cfcookie name="cfid" value="#session.cfid#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
<cfcookie name="cftoken" value="#session.cftoken#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
</cfif>
或
<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfcookie name="CFID" value="#Cookie.CFID#">
<cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#">
</cfif>
取决于您与谁交谈.
Adobe 随后发布了 http://www.adobe.com/support/security/bulletins/apsb11-04.html 和后来的这个原始修复的修复,这里讨论:http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html
Adobe then released http://www.adobe.com/support/security/bulletins/apsb11-04.html and later a fix for this original fix, which is talked about here: http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html
原始修复会导致此处描述的许多问题:http:///cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour 此修复(以及网络上的许多其他类似修复)通过修改上面的 cfcookie 代码来工作.
The original fix causes a lot of issues described here: http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour This fix (and a lot of other similar fixes on the web) work by modifying the cfcookie code above.
一年后,我想知道在运行 CF9.02 时,人们目前正在为 CFID/CFToken 管理做什么(即,应用了会话固定修复.)
It's a year later and what I would like to know if what are people currently doing for CFID/CFToken management when running CF9.02 (ie, with the session fixation fixes applied.)
推荐答案
嗯,没有使用CFID/CFToken.多年来我没有使用这些客户端变量,而是使用 ColdFusion 会话管理.相信来自客户的那些(在我看来)风险太大.
Um, not using CFID/CFToken. I have not used those client variables for years and instead use ColdFusion session management. It is just too risky to trust those from the client (in my opinion).
Adobe 文档实际上有一篇关于管理客户端状态的很好的文章:管理客户端状态
The Adobe docs actually have a pretty good write up about managing client state: Managing the client state
您仍然需要使用 CFID/CFToken 的理由是什么?
What is your case for still needing to use CFID/CFToken?
该 Adobe 文章的摘录:
An excerpt from that Adobe article:
拥有用户 CFToken 和 CFID cookie 的黑客可以通过在用户会话期间使用被盗的 CFToken 和 CFID cookie 访问网页来访问用户数据.虽然这种情况不太可能发生,但理论上是可能的.
A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.
您可以通过在 ColdFusion 管理员内存变量页面上选择使用 J2EE 会话变量选项来消除此漏洞.J2EE 会话管理机制为每个会话创建一个新的会话标识符,并且不使用 CFToken 或 CFID cookie 值.
You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.
这篇关于当前的 CF9.02 会话 Cookie 管理最佳实践是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
