Web Software Architecture and Engineering – Life on the Bleeding Edge

I know what you are thinking. Not another ColdFusion 10 security post!

This one is serious. You need to be aware as it will, most likely, impact your application.

The issue is simple, and logically CF 10′s fix makes sense, except that is breaks backward compatibility and make some things harder on us.

Let’s work through the use case.

In an ideal world, your application would allow UserA with UsernameA to login to your application. If UserB used the same UsernameA, it should either give an error saying that UsernameA is in use, or kick UserA off and allow UserB in. This second scenario, kicking the user off, is what is the default in CF10.

Normally, you would think this is a good thing. Users shouldn’t share usernames anyways, right? Well, kinda.

Adobe’s assumption that this is the ONLY use case is incorrect. There are valid scenarios where users share usernames. But beyond that, let’s say you do a lot of server-side functional testing using Selenium or JMeter, and you have a single login for the script to use, as soon as user2 logs in, user1 is kicked out. This is what happened to us – all our server side tests started failing in CF10.

And lastly, what if you are developer, and need to login on two different browsers, say IE and FF, to compare how the screen looks and are doing your standard browser compatibility testing, suddenly you can’t – because one will log out the other.

The impact of this change is great in the way we do business as developers. You now have to support multiple logins, and in the case of JMeter test where the script ramps up to 20 concurrent users, provide twenty different logins. And then imaging deleting all that test data. The list of additional work goes on.

Some ideas that have been floated and I support, is to make this functionality optional. I would love to set this up to make it optional for my test accounts. The way I see that is a conditional setting in onSessionStart. Obviously there are other ways to skin this cat.

The downside to this is that it halts all sorts of testing for our app and our migration to CF10 is seriously tainted.

You can do a couple things. Vote here: https://bugbase.adobe.com/index.cfm?event=bug&id=3339008. And contact Shilpi Khariwal https://twitter.com/shilpikm – ColdFusion Security Czar.

About these ads

Comments on: "ColdFusion 10 – Security Change – Be Aware!" (3)

  1. TBH, the more common use case in my experience is the latter: people (not just tech people) using two different browsers to login to the same app using the same account, but doing two different things. EG: in a CMS one window to do front-end inline content editing, in another window doing back-end config / organisation tasks.

    I have not had a situation in which the client *wanted* only one login at a time for a given app.

    My experiences don’t equate to anything statistically meaningful, but it does suggest it was perhaps poor form to arbitrarily decide to change the default behaviour.


    Adam

  2. Brian Klaas said:

    Does this affect only CF apps that use the cflogin tag, or any app which uses the session scope in general?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 414 other followers

%d bloggers like this: