Pinned fields
Click on the next to a field label to start pinning.
Details
Assignee
UnassignedUnassignedReporter
Pete FreitagPete FreitagPriority
Major
Details
Details
Assignee
Unassigned
UnassignedReporter
Pete Freitag
Pete FreitagPriority
MajorSentry
Sentry
Sentry
Created November 22, 2019 at 3:20 PM
Updated November 22, 2019 at 3:20 PM
I was chatting with Matt Clemente about the storing sessions in Redis with your extension. Though I haven't used it yet personally, I do have a client that is interested in using Redis for sessions. One reservation I have about using an external cache or database for sessions is that if the database is compromised, and an attacker can enumerate all the session ids.
Matt mentioned that the session key might look like this:
sessions-lucee-storage:session:eb313447-3e2b-4c28-87fa-18f285743360:leadsseason4ioIn the above example eb313447-3e2b-4c28-87fa-18f285743360 is the session identifier (CFID, JSESSIONID).
My Suggestion:
A better way to do this from a security perspective would be to hash the session identifier treating it just like a password. You would still be able to take a session ID from the request and look up the appropriate session, however you would not be able to enumerate the session identifiers and hijack a session.
Let me know what you think or if you have any questions.