什么是当前CF9.02会话Cookie管理最佳实践? [英] What are current CF9.02 Session Cookie Management Best Practices?
问题描述
ColdFusion Cookie会话Cookie管理的常见最佳实践已实现类似如下:
Common "best practice" for ColdFusion cookie session cookie management has been to implement something like this:
<cfset this.setClientCookies = false />
<cfif NOT IsDefined( "cookie.cfid" ) OR NOT IsDefined( "cookie.cftoken" )>
<cfcookie name="cfid" value="#session.cfid#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
<cfcookie name="cftoken" value="#session.cftoken#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
</cfif>
或
<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfcookie name="CFID" value="#Cookie.CFID#">
<cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#">
</cfif>
取决于您与谁交谈。
Adobe随后发布了 http://www.adobe.com/support/security/bulletins/apsb11- 04.html 以及此原始修复程序的修复程序,此处讨论此问题: http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html
Adobe then released http://www.adobe.com/support/security/bulletins/apsb11-04.html and later a fix for this original fix, which is talked about here: http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html
原始修复导致此处描述的很多问题: http:// cfsimplicity .com / 4 / coldfusion-security-hotfix-changes-session-behavior 通过修改上面的cfcookie代码,这个修复(以及网上的很多其他类似的修复)。
The original fix causes a lot of issues described here: http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour This fix (and a lot of other similar fixes on the web) work by modifying the cfcookie code above.
这是一年后,我想知道如果当前运行CF9.02(即,应用会话修复修复程序)CFID / CFToken管理当前正在做什么。
It's a year later and what I would like to know if what are people currently doing for CFID/CFToken management when running CF9.02 (ie, with the session fixation fixes applied.)
推荐答案
我已经多年没有使用这些客户端变量,而是使用ColdFusion会话管理。在我看来,信任来自客户端的风险太大了。
Um, not using CFID/CFToken. I have not used those client variables for years and instead use ColdFusion session management. It is just too risky to trust those from the client (in my opinion).
Adobe文档实际上有一个很好的关于管理客户端状态的写法:管理客户端状态
The Adobe docs actually have a pretty good write up about managing client state: Managing the client state
您仍然需要使用CFID / CFToken的情况是什么?
What is your case for still needing to use CFID/CFToken?
Adobe文章摘录:
An excerpt from that Adobe article:
拥有用户CFToken和CFID cookie的黑客可以通过在用户会话期间使用被盗的CFToken和CFID cookie访问网页来访问用户数据。虽然这种情况是不可能的,但在理论上是可能的。
A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.
您可以通过在ColdFusion管理器内存变量页面上选择使用J2EE会话变量选项来删除此漏洞。 J2EE会话管理机制为每个会话创建一个新的会话标识符,并且不使用CFToken或CFID cookie值。
You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.
这篇关于什么是当前CF9.02会话Cookie管理最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
