Hash session identifiers to avoid compromised database lookups of all session identifiers


I was chatting with Matt Clemente about the storing sessions in Redis with your extension. Though I haven't used it yet personally, I do have a client that is interested in using Redis for sessions. One reservation I have about using an external cache or database for sessions is that if the database is compromised, and an attacker can enumerate all the session ids.

Matt mentioned that the session key might look like this:

In the above example eb313447-3e2b-4c28-87fa-18f285743360 is the session identifier (CFID, JSESSIONID).

My Suggestion:

A better way to do this from a security perspective would be to hash the session identifier treating it just like a password. You would still be able to take a session ID from the request and look up the appropriate session, however you would not be able to enumerate the session identifiers and hijack a session.

Let me know what you think or if you have any questions.


Brad Wood
November 22, 2019, 6:17 PM

Lucee controls this ID, not our cache extension. Unless you propose a secret ninja hash in our provider. That may give you issues elsewhere if Lucee pulls a list of IDs to look at.




Pete Freitag