Thursday, June 27, 2002

Optional UUID for CFTOKEN
I mentioned in the previous note (New URLSessionFormat() Function that one of the challenges of CFID and CFTOKEN pairs is that if the value is displayed on the URL, it's just very easy to guess. The CFID/CFTOKEN values are just a few simple numbers. By trying different numbers, a user may be able to impersonate or "spoof" another user's session (or client) variables. (And this really isn't a concern just if you pass them on the URL. Anyone familiar with the process can simply type a CFID/CFTOKEN pair on any URL running a CF template and possibly guess an active pair.)

So another new feature of CFMX, which has nothing to do with J2EE session variables, is that you can ask the server to generate more elaborate UUIDs (universally unique identifiers) for the CFTOKEN. This is enabled in the Administrator, on the "server settings" page, by checking the option "Use UUID for cftoken". (The fact that this is not on the "memory variables" page reinforces the point that the CFTOKEN is used for both client and session variables.) You will need to restart the CFMX server for this change to take effect. You need not change any code to benefit from this new feature.

After enabling them, you may see that CFTOKEN values look more like this, as an example: 15ce46ab4e29af0a-AF695847-F92F-344A-133252991FB6C3B5. (You can see it yourself with <cfoutput>#cftoken#</cfoutput>.) Definitely a lot harder to randomly guess an active value! It's a feature that probably should be enabled by all sites, just for the added protection. The only risk is if you have any code that for some reason relies on the CFTOKEN being the simpler 8-digit number (or are storing the CFTOKEN in a database column that needs to be widened).

One side note: the ability to use a UUID for CFTOKEN isn't really new in CFMX. It's just easier to enable. In CF 4.5 and 5, it requires a manual registry change. See the Macromedia Technote at for more.

No comments: