Title

ColdFusion must set session cookies as browser session cookies. (Cat II impact)

Discussion

Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated. If an attacker is able to use an authenticated session, the attacker is given the privileges of the user who created the session. This may allow the attacker to generate user accounts for later use, change configuration settings, deploy an application or change application modules and code for already hosted applications, or see usernames for trusted relationships to other resources. It is important that each new session is given a new and unique session identifier and that old identifiers are discarded quickly. ColdFusion offers the capability to set session Cookies and all other Cookies to browser cookies. This means all cookies become invalid once the browser window is closed instead of setting a time to live to the cookie. Setting the cookies to browser cookies will ensure the session identifier is invalidated once the user ends the session through closing the browser.

Check Content

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Cookie Timeout" is not set to -1, this is a finding.

Fix Text

Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the parameter "Cookie Timeout" to -1 and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237201r641698_rule

Vulnerability ID: V-237201

Group Title: SRG-APP-000223-AS-000150

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.