Tim Blair

Active Sessions Across CF Applications (15/08/2005)

A couple of weeks ago I was looking at ways of accessing all active sessions within a given CFMX application. A simple solution I came up with was of storing a reference to the individual session within an application scoped structure:

<cfset application.sessionref = structnew()> <cfset application.sessionref[sessionid] = session>

where sessionid is some variable unique to that session (e.g. user ID, jsessionid etc). The developer can then loop through the application.sessionref structure to access all session variables.

A couple of days later I spotted this post by Samual Neff on rewindlife.com which gives a way of using the underlying java of CFMX to access all sessions directly without creating a reference such as above. Another thought then came to mind - if it's possible to access all session information in this way, can you do the same for application information?

So, I had a look and indeed it is possible! By utilising the ApplicationScopeTracker object it is possible to loop through the names of all applications that are currently active on the server and retrieving the session details using Sam's method above:

<!--- define the application ---> <cfapplication name="sessionLister" sessionManagement="yes" sessiontimeout="#createtimespan(0,0,2,0)#"> <!--- application tracker object ---> <cfset appObj = createObject("java", "coldfusion.runtime.ApplicationScopeTracker")> <!--- get the enumeration of application keys ---> <cfset apps = appObj.getApplicationKeys()> <!--- session tracker object ---> <cfset tracker = createObject("java", "coldfusion.runtime.SessionTracker")> <!--- while there are more applications in the enumeration ---> <cfloop condition="#apps.hasMoreElements()#"> <!--- get the app name ---> <cfset appname = apps.nextElement()> <!--- get the sessions for this app name ---> <cfset sessions = tracker.getSessionCollection(appname)> <!--- dump the sessions out ---> <cfdump var="#sessions#" label="#appname#"> </cfloop>

Note: all this (except the reference method described first) uses the undocumented underlying java functionality of CFMX and as such may change!

Checking back to the original post by Sam that got me on to this train of thought, there were a couple of comments regarding the possibilty of accessing all applications on a given server instance and security concerns arising from this.

Thinking about it now, it does indeed seem like quite a large security threat, especially on shared servers... Just running a quick test on my local box, it is possible to modify session detail from any application returned by the getSessionCollection() method. Because a reference to the session structure is returned, it's possible to modify the code posted above to modify every session. Add the following in at the bottom of the loop (before the dump):

<!--- try hacking a session ---> <cfloop collection="#sessions#" item="item"> <cfset sessions[item].hacked = "oh dear"><br> </cfloop>

I don't have access to a shared host (well I do but all access details are at home!) to be able to try this out - does anyone care to try it and post results (without modifying anyone else's sessions of course!).

My guess is that enabling sandbox security and restricting the instantiation of java classes may help this but with the various "get arounds" for grabbing instances using forName() etc it may still be a way to access all session data.

Blimey, what a can of worms...

Article Archive (September '03 – '05)

• Private CFC Methods and "this" 01/09/2003
• Active Sessions Across CF Applications 12/09/2003
• isnumeric() - Too Clever for It's Own Good? 15/03/2004
• Modifying Page Generated Content 15/03/2004
• CF and Arrays of Basic Java Types 17/03/2004
• Writing UTF-8 Text Files with ColdFusion 13/05/2004
• Top vs. Bottom Posting 09/07/2004
• Local (var) Scope Shortcut 27/12/2004
• Using Apache mod_headers to Change Downloaded Filenames 16/06/2005
• Changing the Working Directory of <cfexecute> 12/07/2005
• Flickr Workshop Review 29/09/2005