3

I inherited a coldfusion application. The code is very old (think Allaire days) and I've been slowly upgrading it. Recently, we endured pentration testing, which failed in numerous areas. My focus at this moment is the login functionality, specifically how to store and use cookies. We recently upgraded to CF 2018 on Windows.

The site is only accessible via RDS currently, but will be made available via the general web in the near future.

Currently, the code sets a "rememberme" cookie onLogin, as follows, using a heap of obfuscation. I think this was borrowed from a Ben Nadel example: https://www.bennadel.com/blog/1213-creating-a-remember-me-login-system-in-coldfusion.htm

<cfset strRememberMe = (
        CreateUUID() & ":" &
        SESSION.User.ID & ":" &
        SESSION.User.Name & ":" &           
        SESSION.User.Billing & ":" &            
        SESSION.User.Admin & ":" &          
        SESSION.User.Reversals & ":" &          
        CreateUUID()
        ) />

<cfset strRememberMe = Encrypt(
        strRememberMe,
        APPLICATION.EncryptionKey,
        "cfmx_compat",
        "hex"
        ) />

<cfcookie
        name="RememberMe"
        value="#strRememberMe#"
        expires="never"
        httponly="true" <!--- Set in CFAdmin so not reqd here --->
        />

Several user permissions are included in this cookie, flagging the user as being able to access certain parts of the site and/or perform certain functions.

I would like to keep any unnecessary data completely out of the cookie, perhaps keeping only the userID there. A check could be made, perhaps in application.cfc onRequest() method, to check for the cookie and query the database, then set session variables related to user permissions. Currently, application.cfc onSessionStart() parses the user permissions out of the cookie to create the session-scoped variables. Problem I see with only having the raw UserID in the cookie is that the UserID could be rather easily guessed, so some type of obfuscation or encryption would probably still be necessary.

I realise from my reading that cfmx_compat provides weak encryption.

I'm after the cleanest, most effective way to secure the cookie from any type of third-party or MITM abuse/attack, and make use of it in the application. I've read just about everything on the internet about this and people are doing and suggesting different things. My brain is overloaded with ideas right now. I don't want to be fancy, just effective.

The site doesn't have SSL or TLS right now, but will be implemented soon, which should help matters security-wise.

user460114
  • 1,848
  • 3
  • 31
  • 54

1 Answers1

1

Think of the remember me with the same security concerns as normal login credentials. Do not include any sensitive info, rather save all other data in the database and only access it after the user is authenticated.

In the cookie, have a way to identify a user and a secret with sufficient length/entropy. The secret should be hashed (ex: bcrypt) in the database, so if someone sees your database they can't simply send the data in a cookie to authenticate as any user. You can include the username in the cookie or create a random string for each user that can be used instead.

Did you have other concerns or questions?

Dan Roberts
  • 4,664
  • 3
  • 34
  • 43
  • I'll also add that nothing should be encrypted with `CFMX_COMPAT`. It is way broken and insecure. – Shawn Mar 06 '20 at 23:14