Correct me if I am wrong, but I thought it was possible to "hijack" a session if a user knew another users cfid and cftoken variables. I have seen users pages get "switched" if a user emails another user a url to a page with the cfid and cftoken in the url line (e.g http://mydomain.com/file.cfm?cfid=1234&cftoken=29282928) Would it be possible that the one user emailed the other user a link?
I did have a lot of problems with session variables getting switched and with firewalls with CF 4 -- it has been a while and it could have been a locking issue at the time -- at any rate, there was a long thread in the CF forums about this and the only fix that I was able to come up with was to switch to client variables instead. You might want to search the cf forums, if the suggestions here didn't fix it for you. Tim P. ----- Original Message ----- From: "Mark A. Kruger - CFG" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, November 06, 2002 9:40 AM Subject: Strange occurrence > One of the guys in my user group works for a firm that is very concerned > with security. They recently ran across this situation. I've offered a > couple of possible explanations, but I'm interested in any other possible > explanation: > > > -----------------he wrote------------------- > I had an occurrence today that was very strange. I have a CF 4.5.1 Server > running on NT 4.0 using IIS 4.0 with the latest service packs installed. My > site looks at an incoming request and if they don't already have session > variables set (cached via cookies for 48 hours) they are given a password > screen to log in with. > > Around 13:00 Central time today a remote user was attempting to log into the > site. His profile in our database did not have him authorized to log in and > he was denied access as expected. While speaking with our Service Desk who > was attempting to log in as him locally his remote display brought up a page > that would only have been displayed to the local Service Desk technician. > To the best of my knowledge, there was no password information passed to the > remote user (he still wasn't authorized at that point in our profile > database.) > > How could he possibly received a page from our server that belonged to our > internal technician? The remote user and the local tech are both situated > behind two different firewalls from the server. > I am at a total loss, and am hoping that someone may be able to shed some > light. > ------------------------------------------- > > > I'm thinking he's not getting the full story from the help desk <g> > > > Mark A. Kruger, MCSE, CFG > www.cfwebtools.com > www.necfug.com > mxc.blogspot.com > ..no more brochures! > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
