Try this bit of code. I forget who wrote it. Someone of one of the CF lists.
<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
</cfif>
-Shawn Regan
-----Original Message-----
From: Todd [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 20, 2002 1:22 PM
To: CF-Community
Subject: Re: Using Client Variables for security
I prefer them too and we are using them in a database. The problem is, some
dude with level 4 access closes the browser without logging off. Someone
comes along within the 1 hour timeout limit and opens the browser and
suddenly has access to level 4 commands, because they hijacked the identity
of the other guy. Now, when the browser closes, I can delete the cookies,
but that would ruin the session for the other browsers that are open in the
site .. this is a bad thing.
Any idea how I can kill Client variable session when closing a browser
without killing all sessions for all browsers?
Todd Ashworth
Macromedia Certified Professional
Web Application Developer
SCD, Inc.
Oak Hill Business Park Suite H
8848 Red Oak Blvd.
Charlotte, NC 28217
704-523-0905 [178] (Voice)
www.scdinc.com
----- Original Message -----
From: "Nick McClure" <[EMAIL PROTECTED]>
To: "CF-Community" <[EMAIL PROTECTED]>
Sent: Wednesday, March 20, 2002 3:27 PM
Subject: Re: Using Client Variables for security
> I like client variables, in fact I prefer them, how ever I use a Database
> to store the vars in and not cookies.
>
> If you do it that way then the only difference between client and session
> is if they are stored in Web Server ram or the Database. The normal
cookies
> will always be there no matter which side you use.
>
> At 03:23 PM 3/20/2002 -0500, you wrote:
> >Does anyone know of any good tutorials/articles about locking down a site
> >that uses Client variables for security? My boss seems to think Session
> >variables are the way to go and wants to go through the headache of
> >converting all of the Client Variables in our rather large intranet to
> >session variables. Obviously, I don't want to do this because I just
know
> >about 30 things are going to break. I'm of the opinion that there it
mostly
> >doesn't matter which I use as long as everything is done right.
> >
> >One of the main concerns he has is what if someone closes the browser
> >without logging off. I gave him a way that could be taken care of. He
> >asked, won't that kill their session on all of the browsers they have
open
> >on our site? I said, yep. He said, I don't want that. Anyone have any
> >ideas for me?
> >
> >Todd
______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
