JSessionID, CFId/CFToken-Which is predictable?

I have results from our the new and improved PCI scan and it
comes up with one Medium risk vuln.
Description: The remote web application is using predictable
cookie-based session IDs. Ideally, session IDs are randomly
generated numbers that cannot be guessed by attackers. If the
session ID is predictable, an attacker could hijack an active
victim's session, allowing the attacker to interact with the server
as though they were the victim. If the session ID is used to track
the state of authentication, the session ID of an authenticated
user could be guessed, bypassing any need for a username or
password. In the case of this server, the session ID was found to
have an insignificant number of changes between session IDs, which
makes guessing very easy.
Remediation: The software needs to be either configured or
modified to generate random session IDs.
I currently have enabled
Use J2EE session variables
Assuming I'm getting flagged because of cfid/cftoken
predictablility I've setClientCookies = "no" and
clientmanagement="no" and restarted the service and everything
seems to be working with jsessionids alone... are there any
pitfalls to watch out with not using cfid/cftoken?
basic question before I pay for another scan is:
I was under the impression that jsessionids were the most
secure and a better alternative than cfid/cftoken. Is that not the
case?
EDIT: The scan occurred before I made the client variable
changes to the applicaiton.cfm (so I had both jsessionid and
cfid/cftoken being set) As of now only jsessionid is being set

based on what OWASP has to say
OWASP says
"Best practice calls for J2EE session management. In the
event that only ColdFusion session management is available, strong
security identifiers must be used. Enable this setting to change
the default 8-character CFToken security token string to a UUID.
http://www.owasp.org/index.php/Configuration"
It looks like the J2EE sessions are the way to go.
I believe the reason for the PCI flag is that the scan (at
least the one from the service we use) was looking at CFID alone. I
assume this because cftoken -was- set to use uuid so it should have
been secure. The scan probably doesn't know that cfid and cftoken
are used in conjunction. So in a way this is a false positive.
Based on the new standards coming in it is enough to be out of
compliance.
solution to be in compliance is to set clientmanagement="no"
and setclientcookies="no" in application.cfm so that cfid and
cftoken are not set at all By using only the jsessionid, you are
following best practices from OWASP and also get the benefits of
session end on browser close
Other thoughts still welcome

Similar Messages

  • CFID & CFTOKEN added to URL by CF

    CF automatically appends CFID & CFTOKEN to the URL when
    using <div <span with id = a variable.
    They are not appended when a constant is used.
    I do not want these to be displayed unless I append them
    myself.
    Is this a CF bug, or can I change my code somehow?
    I display a variable number of rows, so using a constant is
    not a solution.
    And, I use client and session variables throughout my app.
    Please help me. Thanks a bunch.
    <cfapplication name="myApp" sessiontimeout="20"
    sessionmanagement="Yes"
    setclientcookies="Yes" clientmanagement="Yes">
    This is BAD ...
    URL with the following code:
    abc/action.cfm?CFID=1851&CFTOKEN=76141078
    <div id="#style#">
    <span id="#style#"
    onclick="location.href='abc/action.cfm'">
    <table><tr><td>info</td></tr></table>
    </span>
    </div>
    This is GOOD ...
    URL with the following code: abc/action.cfm
    <div id="1001">
    <span id="1001"
    onclick="location.href='abc/action.cfm'">
    <table><tr><td>info</td></tr></table>
    </span>
    </div>

    Greetings Steve and other URLSessionFormat fans.
    The remote file of a XMLHttp request (Spry) among other
    things is trying to set two sessions.variables.
    I have been told that if the remote file doesn't know the
    session CFID & CFTOKEN the new session variables wil not be
    recognized, and to avoid that I should use URLSessionFormat.
    Now, my original Spry request look like this:
    var request_URL
    ="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
    Spry.Utils.loadURL("GET", request_URL, false, authBack);
    which returns values as expected but does not set the session
    variables, so I combine it with URLSessionFormat, like this:
    var request_URL =
    '#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
    The variable "request_URL" will render:
    "/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
    which causes Spry to catch an exception while loading the url
    and the request fails altogether.
    Please note the " ; " semicolumn sign between the filename
    "authenticate.cfm" and "jsessionid=" which is not like
    CF7.1 example
    "myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
    found in livedocs.
    Is either my code, macromedia example, or both wrong?
    Or maybe it needs some tweaking and fixing to replace the
    semicolumn and put the question mark in the right place?
    Pulling quite a few hair here. Thanks for helping.

  • CFID & CFTOKEN

    Hi there,
    I’m creating a cart & payment system using
    Coldfusion MX 6.1. I have two application servers which are load
    balanced. So I cannot use sessions to track user logins and other
    variables because if the load balancer diverts a request to the
    other server where the session does not exist then the person will
    be logged out.
    So I’m forced to use client variables. I’m
    against using cookies for better security. So the option left for
    me is store client variables in database. So I’m using the
    help of CFID & CFTOKEN to track logins and store client
    variables in database.
    Now the problem is I’m using URLSessionFormat function
    to pass CFID & CFTOKEN to all pages after login. I have
    following problems:
    1) If I copy the URL, which contains the CFID & CFTOKEN,
    close the browser and paste it in another browser window – it
    opens up the page with out any authentication.
    2) If I copy and paste the same URL on a browser window in
    another PC, it works.
    These two scenarios fail my security to the application. Can
    anyone please advice a way to kill the CFID & CFTOKEN on
    browser close or some mechanism to stop this occurring?
    Any help is greatly appreciated.
    Many thanks / Manu.

    Greetings Steve and other URLSessionFormat fans.
    The remote file of a XMLHttp request (Spry) among other
    things is trying to set two sessions.variables.
    I have been told that if the remote file doesn't know the
    session CFID & CFTOKEN the new session variables wil not be
    recognized, and to avoid that I should use URLSessionFormat.
    Now, my original Spry request look like this:
    var request_URL
    ="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
    Spry.Utils.loadURL("GET", request_URL, false, authBack);
    which returns values as expected but does not set the session
    variables, so I combine it with URLSessionFormat, like this:
    var request_URL =
    '#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
    The variable "request_URL" will render:
    "/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
    which causes Spry to catch an exception while loading the url
    and the request fails altogether.
    Please note the " ; " semicolumn sign between the filename
    "authenticate.cfm" and "jsessionid=" which is not like
    CF7.1 example
    "myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
    found in livedocs.
    Is either my code, macromedia example, or both wrong?
    Or maybe it needs some tweaking and fixing to replace the
    semicolumn and put the question mark in the right place?
    Pulling quite a few hair here. Thanks for helping.

  • Cfid & cftoken keep resetting everytime time the page refreshes!!!!

    I need some assistance.  I have setup several CF applications and never had any issues with session/application management.  However this time around every time I refresh the page it gives me a new cfid and cftoken.  Obviously it won't allow me to keep my session and I get redirected to the log in page.  Here is how I am setting up my application.  Does anyone see any issues with this?
    <cfscript>
    This.name = 'ApplicationName';
    this.clientmanagement="no";
    This.sessionManagement = "yes";
    This.applicationtimeout = CreateTimeSpan(0,1,0,0);
    This.sessionTimeout = CreateTimeSpan(0,0,20,0);
    This.scriptProtect="All";
    This.setclientcookies = "no";
    This.setdomaincookies = "no";
    </cfscript>
    Side question, when is the cfid and cftoken suppose to change?  When I land on the page for the first time before I log in the cfid & cftoken get set.  That will be the same cfid & cftoken for the full session.  Then the cfid & cftoken gets dropped once the application has timed out?  (maybe a dumb question...)
    Please Help!!!

    If you setclientcookies to be FALSE ("no", whatever), then you need to deal with the CFID & CFTOKEN values yourself (generally by passing them on every URL in your site.  Which is a right PitA.
    Are you sure you meant to set it to FALSE?
    Adam

  • Missing session variables and multiple CFID/CFTOKEN

    We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.
    Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions.  We have put troubleshooting measures in place that display values when this occurs.
    We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next).  These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers.  In most instances, if the user switches browsers, the same application works fine for them.
    In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”.  If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.
    When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag.  ** We do not prefer to do this for security reasons.
    Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?

    My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.
    Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.
    Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.
    Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.
    The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.
    1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.
    2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.
    3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions.

  • Adoption of CFID/CFTOKEN from request for new session

    Hi
    We've noticed that ColdFusion automatically uses CFID/CFTOKEN
    from the request, if there's no session available for this token
    combination and ColdFusion creates a new session. Is there a way to
    tell ColdFusion that it shouldn't use the values from the request
    but generate a pair of its own?
    Regards
    Sargon

    10.12 is the latest and greatest SW version for the device (from mid-2010). 
    I'm sad to say, but this device model has been out of production already for a long while and no new SW releases can be expected. Also some of the things you listed are such, which would not even be fixable by new SW version, but would require other changes.
    you could probably try updating e.g. the browser app to a newer version via http://download.browser.ovi.com.
    http://www.microsoft.com/en/mobile/nokia-x-updates/
    http://www.microsoft.com/en/mobile/nokia-x2-update/
    http://www.microsoft.com/en/mobile/asha-software-update/
    http://www.microsoft.com/en/mobile/support/software-update/wp8-software-update/
    http://www.developer.nokia.com/Community/Wiki/Nokia_firmware_change_logs
    https://twitter.com/LumiaSWUpdates

  • Viewing active sessions (cfid/cftoken or J2EE sessionid)?

    Hello... is it possible to view the active sessions, whether cfid/cftoken or the J2EE sessionid for any given site on my server? I believe you can store client variables in a datasource, but I don't believe you can do this with the cfid/cftoken or J2EE sessionid correct? I'd really like to be able to query these values. I'm using CF 7.02 now but will be moving to CF 9, so if it's a feature there that'd be great.

    You can do it per application... but I'm not sure if there's a way of pulling out all the applications running on a given server.  The last time I looked for that sort of thing, I seem to recall not finding it (that's not to say it's not there: I just couldn't find it!).
    But for all sessions within an application: do a google on "cf sessiontracker".  Various people have blogged about how to do what you need (if not exactly what you need, then enough to get you going in the right direction).
    I thought I had some sample code that demonstrates it, but I don't :-(
    Adam

  • CFID CFTOKEN URL 404 ERROR

    We have a program that was wrote by a programmer whom is no longer with us.  When I go to log in to the program for the first time, after I put in my username and password and hit sign in I receive a "404 - File or directory not found error."  All I do is hit the back button and login again and it logs me in just fine.  I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL.  When I'm able to login successfully it just takes me straight to index.cfm
    Can anyone tell me why its doing this and how to fix it?  Its just annoying to have to login twice everytime.  Thanks

    codyw725 wrote:
      I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL.  When I'm able to login successfully it just takes me straight to index.cfm
    There are potentially 4 URLs involved here:
    The URL to which the CFID and CFToken are appended;
    The action page of the login form (Look into the code);
    The page to which the user is sent when the login fails;
    The index.cfm page.
    It would be of interest to know whether 1. and 2., or whether 1. and 3., refer to the same page.

  • CFID/CFTOKEN in URL Not Used

    Hi, What I have is a website that uses a shared ssl site. Here is what happens
    They are at the main site.: http://www.mysite.com/
    They add a couple items to their cart
    They enter the secure site to checkout: https://securesite.com/mysite/?cfid=1234&cftoken=5678
    I check to see if they have items in their cart, if they don't, I kick them out of checkout
    Sometimes this works just find and the session is recognized and I can see the items.
    Other times it kicks back out and the session isn't recognized.
    When I examine the cookies I can see that the secure site wrote its own cfid and cftoken values and is not using the ones passed through the URL.
    If I delete those cookies and try again it works great
    Is there a reason its not using the URL values, is there a way to force it to use the ones I pass in? Please let me know if there is a setting or something I should do.
    First noticed this in Firefox and its also recently gone from CF8 to CF9.
    Thanks!!

    Hey there,
    the feature is named "Browse By Name" and is removed in current FF 4 version.
    Here are some links to solution(s), most posted here at mozilla support:
    http://support.mozilla.com/en-US/questions/790755
    http://support.mozilla.com/en-US/questions/779034
    http://kb.mozillazine.org/Location_Bar_search
    https://support.mozilla.com/en-US/questions/791854
    - also check the keyboard shortcut to automatically add www. and .com/.net/.org irrespectively to Browse By Name activated or not.
    Alternatively you can instal the add-on:
    https://addons.mozilla.org/en-US/firefox/addon/browse-by-name/
    Cheers.

  • Problem with Sessions & CFID Changing Unexpectedly

    MY SETUP...
    ColdFusion version 8.01 Standard
    Hotfix version hf801-00002.jar 
    Java version 1.6.0_04
    server OS Windows 2008 Enterprise 32bit
    webserver IIS 7.0.6
    database MySql 5.0.67
    THE PROBLEM
    For some visitors, every page on the website gives them a new CFID/CFTOKEN. I tried to narrow it down to a particular browser, but it's happening in every browser. It's only happening for some people. It was happening to me, then it stopped. Not sure what I did to fix it, but it's still happening to others.
    I'm using CFID/CFTOKEN (or more recently, a random number stored in a session.variable) as their temporary ID when they add something to their shopping cart. Problem is, when the CFID or session value changes, the items in their cart are no longer associated with them anymore - their cart appears to be empty at that point.
    For the love of God, what is causing the CFID and Session variables to change on every page? I am storing the client global variables in a MySql table which was setup by CF Administrator and appears to be working properly.
    Lastly, this site has been working fine for years, all of the sudden after some PCI Compliance conformity and CF Patches, this problem arose, so I want to blame it on the patches, but I'm not sure.
    Has anyone else ever had this problem? How did you fix it?

    It can also be (and will always be caused) by any user who's browser (or any part of the connection) does not maintain the cookies.
    If the request does not contain a cookie with currently valid cfid|cftoken and|or cfsessionid values, ColdFusion will generate new ones.  This can be cause by security settings in the browser, OS, firewall, proxy etc.
    This has become an increasingly rare issue in modern Internet computing, but it was a fairly common back in the day when cookies where a new idea.

  • Delete JSESSIONID from URL

    Hi,
    I have created a web based application which uses FORM based authentcation. The application is developed in NWDS 2.0.16.
    When I deploy the application and access it in IE there are two parameters JSESSIONID and SAPLB which get appended to existing URL.
    I have set the context root of the application as myapp so for eg If i type in browser the following URL --> http://server:port/myapp and press go the application is loaded and the URL becomes something like this --> http://server:port/myapp/my.jsp;jsessionid=(J2EEXXXX)XXXXXXXEnd;saplb_*=XXXXXX
    I have tried an alternative by setting <i><url-session-tracking/></i> in web-j2ee-engine.xml file but still the JSESSIONID gets appended in the URL.
    Is there any way by which this JSESSIONID can be avoided in the URL as the problem is that if user adds the URL in Browser Favorites and then tries accessing the application it throws an error.
    <b>- Chintan</b>

    Hi Chintan,
    > ...
    > URL --> http://server:port/myapp and press go the
    > application is loaded and the URL becomes something
    > like this -->
    > http://server:port/myapp/my.jsp;jsessionid=(J2EEXXXX)X
    > XXXXXXEnd;saplb_*=XXXXXX
    >
    This is the default behaviour for the first request from the client. After that, by default, the session is tracked with session cookies. You can find the complete description here:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/ce/25c82019068449ac97d585c905a0f2/frameset.htm
    > I have tried an alternative by setting
    > <i><url-session-tracking/></i> in web-j2ee-engine.xml
    > file but still the JSESSIONID gets appended in the
    > URL.
    I think with this configuration you set the behaviour to use URL rewritting. So this is the opposite of what you want to achieve.
    Best regards,
    Stefan Brauneis

  • Jsession being reset in ssl

    I having trouble with my session being reset within an ssl
    page in a shopping cart application. I redirect from a non ssl
    domain to an ssl domain and pass the #session.urlToken# and my
    session is still intact. From there I then submit the page to
    itself as a relative link (<form
    action="payment.cfm?#SESSION.urlToken#" method="POST") and for some
    reason I loose my session! I checked the cfid, cftoken and
    jsessionid and noticed that the sessionid on the action page does
    not match the jsession being passed in the url. So it seems my
    session is being reset for no apparent reason.
    Occassionaly this does work, which although inconsistent
    seems to depend on whether it came from a domain that had www in
    from of the domain or not. The results never seem to be consistent
    even though I pass the urltoken to the ssl domain on the same
    server.
    Can anyone tell me what could be causing this erratic
    behavoiur?

    For some unknown reason, I've had mixed results using
    SESSION.URLToken. Most of the time I simply use cookies so I don't
    have the issue but when I have to pass the tokens, I specify them
    myself:
    payment.cfm?CFID=#CFID#&CFToken=#CFToken#&JSession=#JSession#
    Hope this helps.

  • XForms Submission - No posted document to process

    When I process the following jsp page:
    <%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*" errorPage="error.jsp" %>
    <html>
    <head>
         <title>Budgeting Project</title>
         <meta http-equiv="Content-Type" content="text/xhtml; charset=iso-8859-1">
         <link href="stylesheet/Budgeting.css" rel="stylesheet" type="text/css">
    </head>
    <body>
    <%
    String ActivityId = request.getParameter("ActivityId");
    out.println("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
    out.println("<html xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:ev=\"http://www.w3.org/2001/xml-events\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xforms=\"http://www.w3.org/2002/xforms\">");
    out.println("<object id=\"FormsPlayer\" classid=\"CLSID:4D0ABA11-C5F0-4478-991A-375C4B648F58\">");
    out.println("<div class=\"attention\">FormsPlayer has failed to load!</div>");
    out.println("</object>");
    out.println("<?import NAMESPACE=\"xforms\" IMPLEMENTATION=\"#FormsPlayer\" ?>");
    out.println("<?import namespace=\"xforms\" implementation=\"#FormsPlayer\"?>");
    out.println("<head>");
    out.println("<title>Define Resources for Activity</title>");
    out.println("<link rel=\"stylesheet\" href=\"stylesheet/style.css\" type=\"text/css\" />");
    out.println("<xforms:model id=\"default\">");
    out.println("<xforms:instance id=\"sr\" src=\"ListSectRes1.xsql?ActivityId="+ActivityId+"\" />");
    out.println("<xforms:submission action=\"InsertSectRes1.xsql\" method=\"post\" id=\"submit\" />");
    //out.println("<xforms:submission action=\"SubmitSectResActivity.jsp\" method=\"post\" id=\"submit\" replace=\"all\" />");
    //out.println("<xforms:submission action=\"C:\\ListSectRes.xml\" method=\"put\" id=\"submit\" replace=\"none\" />");
    out.println("</xforms:model>");
    out.println("</head>");
    out.println("<body>");
    out.println("<xforms:group>");
    out.println("<xforms:label class=\"fixed\">Section</xforms:label>");
    out.println("<xforms:label class=\"fixed\">Resource</xforms:label>");
    out.println("<xforms:label class=\"fixed\">Per Diem</xforms:label>");
    out.println("<xforms:label class=\"fixed1\">Person Days</xforms:label>");
    out.println("<xforms:label class=\"fixed1\">Description</xforms:label>");
    out.println("     </xforms:group>");
    out.println("<xforms:repeat nodeset=\"/SCTNRSRCS/SCTNRSRC\" class=\"mrk\">");
    out.println("<xforms:group>");
    out.println("<xforms:output ref=\"NAME\" class=\"fixed\" />");
    out.println("<xforms:output ref=\"GROUP_LEVEL\" class=\"fixed\" />");
    out.println("<xforms:output ref=\"PER_DIEM\" class=\"fixed\" />");
    out.println("<xforms:input ref=\"PERSON_DAYS\" class=\"fixed1\" />");
    out.println("<xforms:textarea ref=\"DESCRIPTION\" class=\"desc\" />");
    out.println("</xforms:group>");
    out.println("<hr />");
    out.println("</xforms:repeat>");
    out.println("<xforms:group class=\"submit\">");
    out.println("<p align=\"center\">");
    //out.println("<xforms:submit submission=\"save\">");
    //out.println("<xforms:label>Save</xforms:label>");
    //out.println("</xforms:submit>");
    out.println("<xforms:submit submission=\"submit\">");
    out.println("<xforms:label>Submit</xforms:label>");
    out.println("</xforms:submit>");
    out.println("</p>");
    out.println("</xforms:group>");
    out.println("</body>");
    out.println("</html>");
    out.println("");
    %>
    </body>
    </html>
    With the following XSQL for action:
    <?xml version="1.0"?>
    <!-- transform="stylesheet/InsertSectRes1.xsl" -->
    <page connection="budgeting" xmlns:xsql="urn:oracle-xsql">
    <xsql:include-posted-xml/>
    <xsql:include-request-params/>
    <xsql:update-request key-columns="Activity_Id Sect_Rsrc_Id"
    table="section_resources_activities" transform="stylesheet/InsertSectRes1.xsl"/>
    <!--<xsql:insert-request table="section_resources_activities"/>-->
    </page>
    I get the following error:
    <?xml version = '1.0'?>
    <!-- transform="stylesheet/InsertSectRes1.xsl" -->
    <page xsql-timing="0">
    <!--0--><xsql-status action="xsql:include-posted-xml" result="No posted document to process"/>
    <!--0--><request><parameters/><session/><cookies><JSESSIONID>0E797F116B6C610BDD259C941C520454</JSESSIONID><CFID>103938</CFID><CFTOKEN>50196159</CFTOKEN></cookies></request>
    <!--0--><xsql-status action="xsql:update-request" result="No posted document to process"/>
    <!--<xsql:insert-request table="section_resources_activities"/>-->
    </page>
    Can anyone tell me how I can resolve this, because the action works on a regular jsp page that does not process XForms?
    Thank you kindly,
    Francine

    Hi Linda,
    Once save the debit memo document in VF01 , System will give the billing document number .
    Then Go to cahnge mode  biling document of VF02 , give the billing doucment number which is created for debit memo.
    Then select green flag (which is fof realesing for accounting documnet) The moment you are click the green flag system
    automatically give the error message . Please post that error message , So that people are easilly give the solutions.
    Thanks,
    KP

  • How to Set up HTTPOnly and SECURE FLAG for session cookies

    Hi All,
    To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
    I have found the below solutions.
    For setting up the HTTPOnly for the session cookies.
    1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
         this.sessioncookie.httponly = true;
    For setting up the secure flag for the session cookies.
    2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
         this.sessioncookie.secure = "true"
    Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
    <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
    <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
      <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
      <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
    </cfif>
    But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
    Your timely help is well appreciated.
    Thanks in advance.

    BKBK wrote:
    Abdul L Koyappayil wrote:
    BKBK wrote:
    You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
    I couldnt understand this. I mean how are you relating this with my question.
    When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
         If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
    Name:
    JSESSIONID
    Content:
    782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
    Domain:
    xyz.abc.pqr.com
    Path:
    Send for:
    Any kind of connection
    Accessible to script:
    No (HttpOnly)
    Created:
    Wednesday, September 3, 2014 2:25:10 AM
    Expires:
    When the browsing session ends
    BKBK wrote:
    2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
    Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
         I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
    BKBK wrote:
    3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
    It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
         I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

  • How to pass session variables via the URL in CF10?

    Hi
    I have a client with some old Flash functionality (AS2). The SWF allows the user to upload an image. However a new session is being started when the upload script is called. I have added the CFID, CFTOKEN and JSESSIONID to the URL as I did in the past to maintain the session but I believe you cannot do this anymore with CF10, if this is correct can anyone point me in the right direction of how I would accomplish maintaining the session for the upload?
    This has a note about CF 10 - http://forums.adobe.com/thread/1178420
    Kind regards
    Shaun

    Hi Shaun
    Are you facing the same issue with all the browsers?
    Thanks
    VJ

Maybe you are looking for

  • Which Tax ID to use on the Vendor

    I need some assistance on what is the generally accepted practice on tax id's. On the Control screen, there is tax id1 and tax id2.  THen on the Company Code Withholding screen, there is the 1099 information and tax id. If I have a vendor that is 109

  • How to Adjust iPhone Contrast

    hI, I FEEL LOT OF PROBLIM ,I CAN NOT ADJUST THE COTRAST ON IPHONE4.

  • Iphone Charging :s

    Plugged my Iphone 2g into charge as the battery was on red, after three minutes or so, the lightning sign in the battery picture changed to a cable sign and the battery was still red, went on to itunes was told my iphone had lost connection and that

  • Darwin kernel v 9.3.0

    After I installed the 10.5.3 update I started to get a Darwin kernel v 9.5.3 where at startup I get a black screen with the notation at the top of the screen mentioning Darwin kernel v 9.3.0 along with many more lines of information. I did some searc

  • IW31 or IW32 Work Order Create - Component - Purchasing - Field GL_ACC

    I need to populate, or change, the GL Account number in custom logic whenever either Work Order  transaction - IW31 and IW32 - is executed under creating components when selecting the Purchasing button at the bottom. I would rather use a BADI than an