A simple app to secure coldfusion pages - Running into an issue with Session

Question

Hello, I am testing out how to protect pages in coldfusion and have run into an issue when attempting to create a process by which users can log out.

Essentially, I have three pages:

1. Page A - The form that submits to Page B
2. Page B - That checks the form.username and form.password against a database (works fine)
3. Page C - Logout page (Which is where I am having an issue).

Page C throws a "variable Session is undefined" error

Here is the code on Page C:

<cfset StructClear(Session)>
<cflocation url="index.cfm">

Here is the code on Page B:

<cfif NOT IsDefined ("form.username")>
<cflocation url="index.cfm" addtoken="No">
</cfif>


<cfquery name="test" datasource="cfdb">
SELECT * FROM USERS
WHERE USERNAME = '#FORM.username#'
AND PASSWORD = '#FORM.password#'
</cfquery>


<!---<CFSET Session.LoggedIn = "1">
<CFSET Session.FirstName = "#test.FirstName#">--->

<CFIF test.RecordCount IS 0>
<cflocation url="index.cfm" addtoken="No">
<CFSET StructClear(Session)>
<cfelse>
<CFSET Session.LoggedIn = "1">
<!---<cflocation url="test.cfm" addtoken="No">--->
</cfif> 
<html xmlns="http://www.w3.org/1999/xhtml"&gt;
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<p><a href="logout.cfm">Log Out</a></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><br>
  This content is protected.
</p>
</body>
</html>

As you can see, nothing fancy :)

Now, I thought that the Session variable could be accessed by any page within a given browser instance, but I am obviously wrong.

What do I need to do for Page C (my logout page to be able to access the session variable).

Any guidance is greatly appreciated!

Answer 1

The Adobe docs reccommend against using structclear on the entire session, a better approach would be to make a sub element of the session named something like session.data and then structclear that. If you do want to make your code work try saving the key session internals then restoring them like this...

<cflock timeout="15" throwontimeout="No" scope="SESSION" type="EXCLUSIVE">
   <cftry>
   <cfscript>
   variables.HoldCFID = session.CFID;
   variables.HoldCFT  = session.CFToken;
   variables.HoldSID  = session.SessionID;
   variables.HoldURLT = session.URLToken;
   structClear(session);
   session.CFID      = HoldCFID;
   session.CFToken   = HoldCFT;
   session.SessionID = HoldSID;
   session.URLToken  = HoldURLT;
   </cfscript>
  <cfcatch type="Any">
    <!--- {If the session strut was cleared without saving the vars first} --->
   <cfset rc = structClear(session)>
   Session Cleared in Catch<br>
  </cfcatch>
  </cftry>
</cflock>

Here is a good writeup with some background on stuctclearing the session structClear and Sessions - Still bad? from Ray Camden's blog.

Also your sample shows the classic attack vector for SQL injection, be sure to CFQueryParam your FORM.username and FORM.pasword :)