Aren't there some security issues involved in passing the CFID & CFTOKEN in
the URL? It's been awhile now, but I recall one of my co-workers playing
with bookmarking pages, etc. and being able to get in without using the
username / password. My memory is a bit fuzzy on this one, though.
-Allen
----- Original Message -----
From: Byron M <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 13, 2000 11:55 PM
Subject: RE: Am I Missing Something?
> Basically that is correct, you could do it with vars stored in a db, but
you
> would still have to add some sort of id to the URL.
>
> We started to put #session.URLToken# to the end of all URL's this variable
> adds cfid=9394&cftoken=85904830 to the URL.
>
> I just thought of this. If you have session variables that are
initialized
> with each session in say an Application.cfm file and users have cookies
> turned off then you are initializing session vars for every page hit for
> that user, and the old ones have to wait to timeout. So in actuality you
> will be saving all so precious server resources by passing the id and
token
> to every page, which should in turn win you the admiration of your peers
and
> a huge raise because those processor and memory upgrade dollars could be
> used elsewhere. :)
>
>
> -----Original Message-----
> From: Eric Dawson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 13, 2000 11:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Am I Missing Something?
>
>
> as far as I know the only way to pass a session from page to page is
either
> through a cookie or a url variable. If cookies are turned off you need to
> manually code the CFID and CFTOKEN variables to the URL to ensure you pass
> them from page to page.
>
> Please correct me if I am wrong.
>
> Eric
>
> From: Kelly Matthews <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> Subject: Am I Missing Something?
> Date: Thu, 13 Apr 2000 21:26:31 -0400
>
> Ok I am somewhat new to CF but something doesn't seem to be right.
> I have a section of our site that is secure, for members only. I
> have written the app to write a cookie so they don't have to login in the
> future. That part works fine.
>
> Now I just wanted to see what happened if someone had cookies turned off,
> and of course even you can log in but the minute you try to go to a 2nd
page
> it loops back to the log in.
>
> Now before I implemented the cookies I did have session management on set
to
> about 30 minutes, which is still on, so people wouldnt have to relog in,
> that worked fine. But with cookies off session management stops working
too.
> Does session management work only with cookies?
>
> I tried something else, turned client management on, and used a database
for
> clientstorage, instead of the registry or cookies, just to test it out,
but
> that didn't keep them logged in either. I must be missing something but
isnt
> there a way to open and maintain a session without cookies? I changed
> setclientcookies to "no" but as long as my browser cookies are off I still
> can't get in.
>
> Point is they get logged in and get to the first page after the login page
> but if they try to go anywhere else they get kicked back to the login
page,
> which from the app.cfm below leads me to beleive its
> not setting Session.Loggedin, and the only difference is that I turned my
> browser cookies off. Guess I just want to find out if Session.Loggedin
HAS
> to be set in a cookie or somewhere can i define it to be set a different
> way. The client variables were however writing to the datasource with no
> problem.
>
> Any help would be appreciated.
> Below is my Application.cfm
> I have tried all 3 client storage methods.
> and with setclientcookies on and off.
>
> <cfapplication name="Members"
> CLIENTSTORAGE="Clients"
> clientmanagement="Yes"
> sessionmanagement="Yes"
> setclientcookies="NO"
> sessiontimeout="#CreateTimeSpan(0,0,30,0)#">
>
> <CFIF NOT IsDefined("Session.LoggedIn")>
> <CFLOCATION URL="login/login.cfm">
> <CFELSEIF Session.loggedin IS "0">
> <CFLOCATION URL="login/login.cfm">
> </cfif>
>
>
> --------------------------------------------------------------------------
--
> --
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
> --------------------------------------------------------------------------
--
> --
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
>
> --------------------------------------------------------------------------
----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
