Is the sessionid a cryptographically secure value?...
# cfml-generald
Daniel Mejia
05/18/2022, 9:00 PMIs the sessionid a cryptographically secure value?
These are generated by ACF server session.
b
bdw429s
05/18/2022, 9:06 PM@Daniel Mejia I'm not aware of ColdFusion itself creating
sessionidbdw429s
05/18/2022, 9:06 PMAre you sure your app code isn't creating that?
bdw429s
05/18/2022, 9:07 PMCF just creates CFID and CFToken as far as I'm aware
bdw429s
05/18/2022, 9:07 PMThat session variable is actually likely coming from ColdBox
d
Daniel Mejia
05/18/2022, 9:07 PMI have sessionmanage on and I simply log the value of "session" and I get those keys.
Daniel Mejia
05/18/2022, 9:08 PMah that makes sense
b
bdw429s
05/18/2022, 9:08 PMUm, I doubt that
d
Daniel Mejia
05/18/2022, 9:08 PMit is a coldbox app
b
bdw429s
05/18/2022, 9:08 PMit's more like
ā¢ all you did was enable session man
ā¢ 1000's of lines of coldbox and app code ran
ā¢ your session scope had a variable
š 1
d
Daniel Mejia
05/18/2022, 9:08 PMlol
b
bdw429s
05/18/2022, 9:09 PMThe answer to your question is likely "yes"
bdw429s
05/18/2022, 9:09 PMWhatever is creating that var is using the cftoken inside of it, which should be considered secure
bdw429s
05/18/2022, 9:09 PMOr at least, sufficiently random
d
Daniel Mejia
05/18/2022, 9:09 PMright. My fallback is to use
java.security.SecureRandomb
bdw429s
05/18/2022, 9:10 PMWhat exactly are you trying to do here??
d
Daniel Mejia
05/18/2022, 9:11 PMits a param for a payload to Duo Security api service - part of the multi factor auth process.
b
bdw429s
05/18/2022, 9:12 PMShould work
bdw429s
05/18/2022, 9:13 PMI assume you're looking for
ā¢ a value that's different per user
ā¢ a value that can't easily be guessed
ā
1
d
Daniel Mejia
05/18/2022, 9:13 PMwell I'm going to skip it and use hash or SecureRandom because this is for a forgebox module and I don't want the hard dependency on Coldbox.
b
bdw429s
05/18/2022, 9:14 PMYep, good idea
bdw429s
05/18/2022, 9:14 PMYou could use token directly, but Lucee doesn't use token in favor of putting a hash directly in cfide
bdw429s
05/18/2022, 9:14 PMBut in either case, those both rely on session management
bdw429s
05/18/2022, 9:14 PMSo best not to rely on either of them if possible for your 3rd party module
d
Daniel Mejia
05/18/2022, 9:15 PMright
a
Adam Cameron
05/18/2022, 10:35 PM
@bdw429s
session.sessionIdšš¾ 1
d
Daniel Mejia
05/18/2022, 10:41 PMI did just notice that cftoken is part of the sessionid in combination with cfid and I guess the application name in hex or something.
ā
1
a
Adam Cameron
05/18/2022, 10:43 PM
just supposed to be the application name. Thought it looked like a pretty bloody weird sessionId
Adam Cameron
05/18/2022, 10:49 PM
Copy code
<cfdump var="#[
"application.name" = application.applicationname,
"session.cfid" = session.cfid,
"session.cftoken" = session.cftoken,
"session.sessionId" = session.sessionId
]#" format="text"> Copy code
struct (ordered)
application.name: sessionTests
session.cfid: 204
session.cftoken: 964945d98128491-7D884619-021C-4B7C-90573E92201E4052
session.sessionId: SESSIONTESTS_204_964945d98128491-7D884619-021C-4B7C-90573E92201E4052šš¾ 1
d
Daniel Mejia
05/18/2022, 10:50 PMI was on that docs page earlier but I only keyword searching for "cryptographically" "crypto" "secure" to know for sure if any of the session data is a cryptographically secure value.
And yes it does say its supposed to be app name.
Daniel Mejia
05/18/2022, 10:52 PMoh the coldbox app name by default in the template is
hash( getCurrentTemplatePath() )3 Views