什么是当前CF9

什么是当前CF9

关注
发信
关注(28)粉丝(399)

什么是当前CF9.02会话Cookie管理最佳实践?

本文介绍了什么是当前CF9.02会话Cookie管理最佳实践?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

ColdFusion Cookie会话Cookie管理的常见最佳实践已实现类似如下:

Common "best practice" for ColdFusion cookie session cookie management has been to implement something like this:

<cfset this.setClientCookies = false />
<cfif NOT IsDefined( "cookie.cfid" ) OR NOT IsDefined( "cookie.cftoken" )>
    <cfcookie name="cfid" value="#session.cfid#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
    <cfcookie name="cftoken" value="#session.cftoken#" domain=".#cgi.HTTP_HOST#" path="/test/sessiontest">
</cfif>


<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfcookie name="CFID" value="#Cookie.CFID#">
    <cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#">
</cfif>

取决于您与谁交谈。

Adob​​e随后发布了以及此原始修复程序的修复程序,此处讨论此问题:

Adobe then released http://www.adobe.com/support/security/bulletins/apsb11-04.html and later a fix for this original fix, which is talked about here: http://www.shilpikhariwal.com/2011/03/update-on-security-hot-fix-feb-2011.html

原始修复导致此处描述的很多问题:通过修改上面的cfcookie代码,这个修复(以及网上的很多其他类似的修复)。

The original fix causes a lot of issues described here: http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour This fix (and a lot of other similar fixes on the web) work by modifying the cfcookie code above.

这是一年后,我想知道如果当前运行CF9.02(即,应用会话修复修复程序)CFID / CFToken管理当前正在做什么。

It's a year later and what I would like to know if what are people currently doing for CFID/CFToken management when running CF9.02 (ie, with the session fixation fixes applied.)

推荐答案

我已经多年没有使用这些客户端变量,而是使用ColdFusion会话管理。在我看来,信任来自客户端的风险太大了。

Um, not using CFID/CFToken. I have not used those client variables for years and instead use ColdFusion session management. It is just too risky to trust those from the client (in my opinion).

Adob​​e文档实际上有一个很好的关于管理客户端状态的写法:

The Adobe docs actually have a pretty good write up about managing client state: Managing the client state

您仍然需要使用CFID / CFToken的情况是什么?

What is your case for still needing to use CFID/CFToken?

Adob​​e文章摘录:

An excerpt from that Adobe article:

您可以通过在ColdFusion管理器内存变量页面上选择使用J2EE会话变量选项来删除此漏洞。 J2EE会话管理机制为每个会话创建一个新的会话标识符,并且不使用CFToken或CFID cookie值。

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.

这篇关于什么是当前CF9.02会话Cookie管理最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-27 17:07
Powered by LMLPHP ©2024 什么是当前CF9 0.039550